Generated docs from job=generate-docs branch=master [ci skip]

2023-11-28 16:18:43 +00:00
parent b915978256
commit d39bc9e09b
9 changed files with 167 additions and 102 deletions
@@ -1340,8 +1340,9 @@ credential-access,T1003.002,OS Credential Dumping: Security Account Manager,7,Wi
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,1,Azure - Search Azure AD User Attributes for Passwords,ae9b2e3e-efa1-4483-86e2-fae529ab9fb6,powershell
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
 credential-access,T1110.002,Brute Force: Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
-credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
-credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
+credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
+credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Export Certificate Item(s),1864fdec-ff86-4452-8c30-f12507582a93,sh
+credential-access,T1555.001,Credentials from Password Stores: Keychain,3,Import Certificate Item(s) into Keychain,e544bbcb-c4e0-4bd0-b614-b92131635f59,sh
 credential-access,T1003.004,OS Credential Dumping: LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
 credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
@@ -177,8 +177,9 @@ privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root acco
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 credential-access,T1056.001,Input Capture: Keylogging,8,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
-credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
-credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
+credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
+credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Export Certificate Item(s),1864fdec-ff86-4452-8c30-f12507582a93,sh
+credential-access,T1555.001,Credentials from Password Stores: Keychain,3,Import Certificate Item(s) into Keychain,e544bbcb-c4e0-4bd0-b614-b92131635f59,sh
 credential-access,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
 credential-access,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
@@ -1912,8 +1912,9 @@
 - [T1110.002 Brute Force: Password Cracking](../../T1110.002/T1110.002.md)
  - Atomic Test #1: Password Cracking with Hashcat [windows]
 - [T1555.001 Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md)
-  - Atomic Test #1: Keychain [macos]
-  - Atomic Test #2: Keychain Dump [macos]
+  - Atomic Test #1: Keychain Dump [macos]
+  - Atomic Test #2: Export Certificate Item(s) [macos]
+  - Atomic Test #3: Import Certificate Item(s) into Keychain [macos]
 - [T1003.004 OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md)
  - Atomic Test #1: Dumping LSA Secrets [windows]
 - [T1606.002 Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md)
@@ -443,8 +443,9 @@
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1555.001 Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md)
-  - Atomic Test #1: Keychain [macos]
-  - Atomic Test #2: Keychain Dump [macos]
+  - Atomic Test #1: Keychain Dump [macos]
+  - Atomic Test #2: Export Certificate Item(s) [macos]
+  - Atomic Test #3: Import Certificate Item(s) into Keychain [macos]
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
@@ -81476,20 +81476,25 @@ credential-access:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1555.001
    atomic_tests:
-    - name: Keychain
+    - name: Keychain Dump
+      auto_generated_guid: 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6
+      description: "This command will dump keychain credential information from login.keychain.
+        \nSource: https://www.loobins.io/binaries/security/\n\n### Keychain File path\n
+        \ ~/Library/Keychains/\n  /Library/Keychains/\n  /Network/Library/Keychains/\n
+        \ [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)\n
+        \ "
+      supported_platforms:
+      - macos
+      executor:
+        command: sudo security dump-keychain -d login.keychain
+        name: sh
+        elevation_required: true
+    - name: Export Certificate Item(s)
      auto_generated_guid: 1864fdec-ff86-4452-8c30-f12507582a93
-      description: |
-        ### Keychain Files
+      description: 'This command finds all certificate items and sends the output
+        to local file in pem format.

-          ~/Library/Keychains/
-
-          /Library/Keychains/
-
-          /Network/Library/Keychains/
-
-          [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
-
-          [Keychain dumper](https://github.com/juuso/keychaindump)
+        '
      supported_platforms:
      - macos
      input_arguments:
@@ -81498,21 +81503,30 @@ credential-access:
          type: path
          default: "/tmp/certs.pem"
      executor:
-        command: |
-          security -h
-          security find-certificate -a -p > #{cert_export}
-          security import #{cert_export} -k
+        command: 'security find-certificate -a -p > #{cert_export}
+
+          '
+        cleanup_command: 'rm #{cert_export}'
        name: sh
-    - name: Keychain Dump
-      auto_generated_guid: 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6
-      description: "This command will dump keychain credential information from login.keychain.
-        \nSource: https://www.loobins.io/binaries/security/"
+        elevation_required: false
+    - name: Import Certificate Item(s) into Keychain
+      auto_generated_guid: e544bbcb-c4e0-4bd0-b614-b92131635f59
+      description: 'This command will import a certificate pem file into a keychain.
+
+        '
      supported_platforms:
      - macos
+      input_arguments:
+        cert_export:
+          description: Specify the path of the pem certificate file to import.
+          type: path
+          default: "/tmp/certs.pem"
      executor:
-        command: sudo security dump-keychain -d login.keychain
+        command: 'security import #{cert_export} -k
+
+          '
        name: sh
-        elevation_required: true
+        elevation_required: false
  T1003.004:
    technique:
      x_mitre_platforms:
@@ -46064,20 +46064,25 @@ credential-access:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1555.001
    atomic_tests:
-    - name: Keychain
+    - name: Keychain Dump
+      auto_generated_guid: 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6
+      description: "This command will dump keychain credential information from login.keychain.
+        \nSource: https://www.loobins.io/binaries/security/\n\n### Keychain File path\n
+        \ ~/Library/Keychains/\n  /Library/Keychains/\n  /Network/Library/Keychains/\n
+        \ [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)\n
+        \ "
+      supported_platforms:
+      - macos
+      executor:
+        command: sudo security dump-keychain -d login.keychain
+        name: sh
+        elevation_required: true
+    - name: Export Certificate Item(s)
      auto_generated_guid: 1864fdec-ff86-4452-8c30-f12507582a93
-      description: |
-        ### Keychain Files
+      description: 'This command finds all certificate items and sends the output
+        to local file in pem format.

-          ~/Library/Keychains/
-
-          /Library/Keychains/
-
-          /Network/Library/Keychains/
-
-          [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
-
-          [Keychain dumper](https://github.com/juuso/keychaindump)
+        '
      supported_platforms:
      - macos
      input_arguments:
@@ -46086,21 +46091,30 @@ credential-access:
          type: path
          default: "/tmp/certs.pem"
      executor:
-        command: |
-          security -h
-          security find-certificate -a -p > #{cert_export}
-          security import #{cert_export} -k
+        command: 'security find-certificate -a -p > #{cert_export}
+
+          '
+        cleanup_command: 'rm #{cert_export}'
        name: sh
-    - name: Keychain Dump
-      auto_generated_guid: 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6
-      description: "This command will dump keychain credential information from login.keychain.
-        \nSource: https://www.loobins.io/binaries/security/"
+        elevation_required: false
+    - name: Import Certificate Item(s) into Keychain
+      auto_generated_guid: e544bbcb-c4e0-4bd0-b614-b92131635f59
+      description: 'This command will import a certificate pem file into a keychain.
+
+        '
      supported_platforms:
      - macos
+      input_arguments:
+        cert_export:
+          description: Specify the path of the pem certificate file to import.
+          type: path
+          default: "/tmp/certs.pem"
      executor:
-        command: sudo security dump-keychain -d login.keychain
+        command: 'security import #{cert_export} -k
+
+          '
        name: sh
-        elevation_required: true
+        elevation_required: false
  T1003.004:
    technique:
      x_mitre_platforms:
@@ -8,62 +8,25 @@ Adversaries may gather user credentials from Keychain storage/memory. For exampl

 ## Atomic Tests

- [Atomic Test #1 - Keychain](#atomic-test-1---keychain)
+- [Atomic Test #1 - Keychain Dump](#atomic-test-1---keychain-dump)

- [Atomic Test #2 - Keychain Dump](#atomic-test-2---keychain-dump)
+- [Atomic Test #2 - Export Certificate Item(s)](#atomic-test-2---export-certificate-items)
+
+- [Atomic Test #3 - Import Certificate Item(s) into Keychain](#atomic-test-3---import-certificate-items-into-keychain)


 <br/>

-## Atomic Test #1 - Keychain
-### Keychain Files
-
-  ~/Library/Keychains/
-
-  /Library/Keychains/
-
-  /Network/Library/Keychains/
-
-  [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
-
-  [Keychain dumper](https://github.com/juuso/keychaindump)
-
-**Supported Platforms:** macOS
-
-
-**auto_generated_guid:** 1864fdec-ff86-4452-8c30-f12507582a93
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| cert_export | Specify the path of the certificates to export. | path | /tmp/certs.pem|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-security -h
-security find-certificate -a -p > #{cert_export}
-security import #{cert_export} -k
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Keychain Dump
+## Atomic Test #1 - Keychain Dump
 This command will dump keychain credential information from login.keychain. 
 Source: https://www.loobins.io/binaries/security/

+### Keychain File path
+  ~/Library/Keychains/
+  /Library/Keychains/
+  /Network/Library/Keychains/
+  [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
+
 **Supported Platforms:** macOS


@@ -86,4 +49,74 @@ sudo security dump-keychain -d login.keychain



+<br/>
+<br/>
+
+## Atomic Test #2 - Export Certificate Item(s)
+This command finds all certificate items and sends the output to local file in pem format.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 1864fdec-ff86-4452-8c30-f12507582a93
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cert_export | Specify the path of the certificates to export. | path | /tmp/certs.pem|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+security find-certificate -a -p > #{cert_export}
+```
+
+#### Cleanup Commands:
+```sh
+rm #{cert_export}
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Import Certificate Item(s) into Keychain
+This command will import a certificate pem file into a keychain.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** e544bbcb-c4e0-4bd0-b614-b92131635f59
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cert_export | Specify the path of the pem certificate file to import. | path | /tmp/certs.pem|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+security import #{cert_export} -k
+```
+
+
+
+
+
+
 <br/>