security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2022-04-11 15:22:21 +00:00
parent f13ec2fb08
commit da4d80c694
4 changed files with 16 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1 -1
View File
@@ -479,7 +479,7 @@ defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run ex
defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
479 defense-evasion T1553.005 Mark-of-the-Web Bypass 3 Remove the Zone.Identifier alternate data stream 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 powershell
480 defense-evasion T1036.004 Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
481 defense-evasion T1036.004 Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
482 defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd command_prompt powershell
483 defense-evasion T1036 Masquerading 2 Malware Masquerading and Execution from Zip File 4449c89b-ec82-43a4-89c1-91e2f1abeecc powershell
484 defense-evasion T1036.005 Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
485 defense-evasion T1036.005 Match Legitimate Name or Location 2 Masquerade as a built-in system executable 35eb8d16-9820-4423-a2a1-90c4f5edd9ca powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1 -1
View File
@@ -307,7 +307,7 @@ defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run ex
defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
307 defense-evasion T1553.005 Mark-of-the-Web Bypass 3 Remove the Zone.Identifier alternate data stream 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 powershell
308 defense-evasion T1036.004 Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
309 defense-evasion T1036.004 Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
310 defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd command_prompt powershell
311 defense-evasion T1036 Masquerading 2 Malware Masquerading and Execution from Zip File 4449c89b-ec82-43a4-89c1-91e2f1abeecc powershell
312 defense-evasion T1036.005 Match Legitimate Name or Location 2 Masquerade as a built-in system executable 35eb8d16-9820-4423-a2a1-90c4f5edd9ca powershell
313 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
atomics/Indexes/index.yaml
+6 -5
View File
@@ -32330,11 +32330,12 @@ defense-evasion:
supported_platforms:
- windows
executor:
command: |-
copy %WINDIR%\System32\cmd.exe /Y %ALLUSERSPROFILE%\cmd.exe
start %ALLUSERSPROFILE%\cmd.exe
cleanup_command: del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1
name: command_prompt
command: "copy-item \"$env:windir\\System32\\cmd.exe\" -destination \"$env:allusersprofile\\cmd.exe\"\nstart-process
\"$env:allusersprofile\\cmd.exe\"\nsleep -s 5 \nstop-process -name \"cmd\"
| out-null"
cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction
silentlycontinue
name: powershell
- name: Malware Masquerading and Execution from Zip File
auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
description: When the file is unzipped and the README.cmd file opened, it executes
atomics/T1036/T1036.md
+8 -6
View File
@@ -26,17 +26,19 @@ It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a n
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `powershell`!
```cmd
copy %WINDIR%\System32\cmd.exe /Y %ALLUSERSPROFILE%\cmd.exe
start %ALLUSERSPROFILE%\cmd.exe
```powershell
copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5
stop-process -name "cmd" | out-null
```
#### Cleanup Commands:
```cmd
del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1
```powershell
remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue
```