Generate docs from job=validate_atomics_generate_docs branch=master
This commit is contained in:
CircleCI Atomic Red Team doc generator
parent
d490f345a7
commit
e0d70c657d
@@ -0,0 +1,30 @@
|
||||
# T1005 - Data from Local System
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1005)
|
||||
<blockquote>Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
|
||||
|
||||
Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Search macOS Safari Cookies](#atomic-test-1---search-macos-safari-cookies)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Search macOS Safari Cookies
|
||||
This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
|
||||
|
||||
**Supported Platforms:** macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| search_string | String to search Safari cookies to find. | string | coinbase|
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
cd ~/Library/Cookies
|
||||
grep -q "#{search_string}" "Cookies.binarycookies"
|
||||
```
|
||||
<br/>
|
||||
+2
-1
@@ -667,7 +667,8 @@
|
||||
- [T1074 Data Staged](./T1074/T1074.md)
|
||||
- Atomic Test #1: Stage data from Discovery.sh [linux, macos]
|
||||
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1005 Data from Local System](./T1005/T1005.md)
|
||||
- Atomic Test #1: Search macOS Safari Cookies [macos]
|
||||
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1114 Email Collection](./T1114/T1114.md)
|
||||
|
||||
@@ -18364,6 +18364,63 @@ collection:
|
||||
modified: '2018-10-17T00:14:20.652Z'
|
||||
created: '2017-05-31T21:31:37.917Z'
|
||||
atomic_tests: []
|
||||
T1005:
|
||||
technique:
|
||||
id: attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Data from Local System
|
||||
description: |-
|
||||
Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
|
||||
|
||||
Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
|
||||
external_references:
|
||||
- external_id: T1005
|
||||
url: https://attack.mitre.org/techniques/T1005
|
||||
source_name: mitre-attack
|
||||
object_marking_refs:
|
||||
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
|
||||
x_mitre_version: '1.0'
|
||||
x_mitre_data_sources:
|
||||
- File monitoring
|
||||
- Process monitoring
|
||||
- Process command-line parameters
|
||||
x_mitre_detection: Monitor processes and command-line arguments for actions
|
||||
that could be taken to collect files from a system. Remote access tools with
|
||||
built-in features may interact directly with the Windows API to gather data.
|
||||
Data may also be acquired through Windows system management tools such as
|
||||
[Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)
|
||||
and [PowerShell](https://attack.mitre.org/techniques/T1086).
|
||||
x_mitre_system_requirements:
|
||||
- Privileges to access certain files and directories
|
||||
x_mitre_platforms:
|
||||
- Linux
|
||||
- macOS
|
||||
- Windows
|
||||
type: attack-pattern
|
||||
kill_chain_phases:
|
||||
- phase_name: collection
|
||||
kill_chain_name: mitre-attack
|
||||
modified: '2018-10-17T00:14:20.652Z'
|
||||
created: '2017-05-31T21:30:20.537Z'
|
||||
identifier: T1005
|
||||
atomic_tests:
|
||||
- name: Search macOS Safari Cookies
|
||||
description: 'This test uses `grep` to search a macOS Safari binaryCookies file
|
||||
for specified values. This was used by CookieMiner malware.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
search_string:
|
||||
description: String to search Safari cookies to find.
|
||||
type: string
|
||||
default: coinbase
|
||||
executor:
|
||||
name: sh
|
||||
command: |
|
||||
cd ~/Library/Cookies
|
||||
grep -q "#{search_string}" "Cookies.binarycookies"
|
||||
T1114:
|
||||
technique:
|
||||
id: attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f
|
||||
|
||||
@@ -92,7 +92,7 @@
|
||||
- [T1074 Data Staged](./T1074/T1074.md)
|
||||
- Atomic Test #1: Stage data from Discovery.sh [linux, macos]
|
||||
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1005 Data from Local System](./T1005/T1005.md)
|
||||
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1056 Input Capture](./T1056/T1056.md)
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | [Setuid and Setgid](./T1166/T1166.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | [Remote File Copy](./T1105/T1105.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
|
||||
| [Spearphishing Attachment](./T1193/T1193.md) | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Sudo](./T1169/T1169.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](./T1081/T1081.md) | [Network Service Scanning](./T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](./T1064/T1064.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Sudo Caching](./T1206/T1206.md) | [File Deletion](./T1107/T1107.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Permissions Modification](./T1222/T1222.md) | [Input Capture](./T1056/T1056.md) | [Password Policy Discovery](./T1201/T1201.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Permissions Modification](./T1222/T1222.md) | [Input Capture](./T1056/T1056.md) | [Password Policy Discovery](./T1201/T1201.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](./T1151/T1151.md) | [Local Job Scheduling](./T1168/T1168.md) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](./T1148/T1148.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Hidden Files and Directories](./T1158/T1158.md) | [Private Keys](./T1145/T1145.md) | [Process Discovery](./T1057/T1057.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](./T1154/T1154.md) | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | [Input Capture](./T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
|
||||
@@ -146,7 +146,8 @@
|
||||
- [T1074 Data Staged](./T1074/T1074.md)
|
||||
- Atomic Test #1: Stage data from Discovery.sh [linux, macos]
|
||||
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1005 Data from Local System](./T1005/T1005.md)
|
||||
- Atomic Test #1: Search macOS Safari Cookies [macos]
|
||||
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1056 Input Capture](./T1056/T1056.md)
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| [Spearphishing Attachment](./T1193/T1193.md) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](./T1152/T1152.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](./T1046/T1046.md) | [Remote File Copy](./T1105/T1105.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | [Data Encoding](./T1132/T1132.md) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](./T1168/T1168.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [File Deletion](./T1107/T1107.md) | [Input Capture](./T1056/T1056.md) | [Network Share Discovery](./T1135/T1135.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](./T1168/T1168.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [File Deletion](./T1107/T1107.md) | [Input Capture](./T1056/T1056.md) | [Network Share Discovery](./T1135/T1135.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](./T1064/T1064.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](./T1165/T1165.md) | [File Permissions Modification](./T1222/T1222.md) | [Input Prompt](./T1141/T1141.md) | [Network Sniffing](./T1040/T1040.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | [Launch Agent](./T1159/T1159.md) | [Sudo](./T1169/T1169.md) | [Gatekeeper Bypass](./T1144/T1144.md) | [Keychain](./T1142/T1142.md) | [Password Policy Discovery](./T1201/T1201.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](./T1151/T1151.md) | [Launch Daemon](./T1160/T1160.md) | [Sudo Caching](./T1206/T1206.md) | [HISTCONTROL](./T1148/T1148.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | | [Input Capture](./T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
|
||||
+1
-1
@@ -6,7 +6,7 @@
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [Account Manipulation](./T1098/T1098.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
|
||||
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| [Spearphishing Attachment](./T1193/T1193.md) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Files](./T1081/T1081.md) | [Network Service Scanning](./T1046/T1046.md) | [Logon Scripts](./T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Bypass User Account Control](./T1088/T1088.md) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Share Discovery](./T1135/T1135.md) | [Pass the Hash](./T1075/T1075.md) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Bypass User Account Control](./T1088/T1088.md) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Share Discovery](./T1135/T1135.md) | [Pass the Hash](./T1075/T1075.md) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](./T1201/T1201.md) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote File Copy](./T1105/T1105.md) | [Email Collection](./T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
|
||||
@@ -391,7 +391,7 @@
|
||||
- Atomic Test #2: PowerShell [windows]
|
||||
- [T1074 Data Staged](./T1074/T1074.md)
|
||||
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1005 Data from Local System](./T1005/T1005.md)
|
||||
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1114 Email Collection](./T1114/T1114.md)
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| [Spearphishing Attachment](./T1193/T1193.md) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Service Scanning](./T1046/T1046.md) | [Pass the Hash](./T1075/T1075.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | [Data Encoding](./T1132/T1132.md) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](./T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](./T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [Password Policy Discovery](./T1201/T1201.md) | [Remote File Copy](./T1105/T1105.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Email Collection](./T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
|
||||
Reference in New Issue
Block a user