security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-01-06 21:18:03 +00:00
parent a0b8d7e438
commit dfa7d4e513
6 changed files with 41 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1135/T1135.md
+2 -2
View File
@@ -26,7 +26,7 @@ Cloud virtual networks may contain remote network shares or file storage service
- [Atomic Test #3 - Network Share Discovery PowerShell](#atomic-test-3---network-share-discovery-powershell)
- [Atomic Test #4 - View avaliabe share drives](#atomic-test-4---view-avaliabe-share-drives)
- [Atomic Test #4 - View available share drives](#atomic-test-4---view-available-share-drives)
<br/>
@@ -97,7 +97,7 @@ get-smbshare -Name #{computer_name}
<br/>
<br/>
## Atomic Test #4 - View avaliabe share drives
## Atomic Test #4 - View available share drives
View information about all of the resources that are shared on the local computer
**Supported Platforms:** Windows
atomics/T1485/T1485.md
+12 -6
View File
@@ -56,7 +56,7 @@ wbadmin.exe delete catalog -quiet
<br/>
## Atomic Test #3 - Windows - Disable Windows Recovery Console Repair
Disables repair by the Windows Recovery Console on boot.
Disables repair by the Windows Recovery Console on boot.
This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
**Supported Platforms:** Windows
@@ -69,6 +69,11 @@ bcdedit.exe /set {default} recoveryenabled no
```
#### Cleanup Commands:
```
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
bcdedit.exe /set {default} recoveryenabled yes
```
<br/>
<br/>
@@ -83,11 +88,13 @@ Requires the download of either Sysinternals Suite or the individual SDelete uti
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_overwrite | Path of file to overwrite and remove | Path | C:\some\file.txt|
| sdelete_path | Path to sdelete.exe | Path | |
#### Run it with `command_prompt`!
#### Run it with `powershell`!
```
sdelete.exe #{file_to_overwrite}
New-Item $env:TEMP\T1485.txt
Set-Location #{sdelete_path}
.\sdelete.exe -accepteula $env:TEMP\T1485.txt
```
@@ -97,7 +104,6 @@ sdelete.exe #{file_to_overwrite}
## Atomic Test #5 - macOS/Linux - Overwrite file with DD
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
**Supported Platforms:** CentOS, Linux, macOS, Ubuntu
@@ -125,7 +131,7 @@ Deletes backup files in a manner similar to Ryuk ransomware.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
```
atomics/T1518/T1518.md
+3 -3
View File
@@ -33,10 +33,10 @@ Adversaries may attempt to get a listing of all software that is installed on th
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Run it with `powershell`!
```
POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
```
atomics/index.md
+1 -1
View File
@@ -572,7 +572,7 @@
- Atomic Test #1: Network Share Discovery [macos, linux]
- Atomic Test #2: Network Share Discovery command prompt [windows]
- Atomic Test #3: Network Share Discovery PowerShell [windows]
- Atomic Test #4: View avaliabe share drives [windows]
- Atomic Test #4: View available share drives [windows]
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture MacOS [macos]
atomics/index.yaml
+22 -16
View File
@@ -15787,9 +15787,9 @@ impact:
'
- name: Windows - Disable Windows Recovery Console Repair
description: "Disables repair by the Windows Recovery Console on boot. \nThis
technique is used by numerous ransomware families and APT malware such as
Olympic Destroyer.\n"
description: |
Disables repair by the Windows Recovery Console on boot.
This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
supported_platforms:
- windows
executor:
@@ -15798,6 +15798,9 @@ impact:
command: |
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
cleanup_command: |
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
bcdedit.exe /set {default} recoveryenabled yes
- name: Windows - Overwrite file with Sysinternals SDelete
description: |
Overwrites and deletes a file using Sysinternals SDelete.
@@ -15805,19 +15808,19 @@ impact:
supported_platforms:
- windows
input_arguments:
file_to_overwrite:
description: Path of file to overwrite and remove
sdelete_path:
description: Path to sdelete.exe
type: Path
default: C:\some\file.txt
default: ''
executor:
name: command_prompt
command: 'sdelete.exe #{file_to_overwrite}
'
name: powershell
command: |
New-Item $env:TEMP\T1485.txt
Set-Location #{sdelete_path}
.\sdelete.exe -accepteula $env:TEMP\T1485.txt
- name: macOS/Linux - Overwrite file with DD
description: |
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
supported_platforms:
- centos
@@ -15846,8 +15849,11 @@ impact:
- windows
executor:
name: command_prompt
command: del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
elevation_required: true
command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
c:\backup*.* c:\*.set c:\*.win c:\*.dsk
'
'':
technique:
x_mitre_data_sources:
@@ -17410,7 +17416,7 @@ discovery:
command: |
net view \\#{computer_name}
get-smbshare -Name #{computer_name}
- name: View avaliabe share drives
- name: View available share drives
description: View information about all of the resources that are shared on
the local computer
supported_platforms:
@@ -18337,11 +18343,11 @@ discovery:
supported_platforms:
- windows
executor:
name: command_prompt
name: powershell
elevation_required: false
command: |
POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
T1082:
technique:
x_mitre_permissions_required:
atomics/windows-index.md
+1 -1
View File
@@ -409,7 +409,7 @@
- [T1135 Network Share Discovery](./T1135/T1135.md)
- Atomic Test #2: Network Share Discovery command prompt [windows]
- Atomic Test #3: Network Share Discovery PowerShell [windows]
- Atomic Test #4: View avaliabe share drives [windows]
- Atomic Test #4: View available share drives [windows]
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Packet Capture PowerShell [windows]