security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=circle-generate-docs

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2018-05-12 22:33:52 +00:00
parent 168366dcb7
commit e124a433e2
20 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/t1002/t1002.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1002 - Data Compressed
# T1002 - Data Compressed
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
atomics/t1003/t1003.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1003 - Credential Dumping
# T1003 - Credential Dumping
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003)
<blockquote>Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
atomics/t1046/t1046.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1046 - Network Service Scanning
# T1046 - Network Service Scanning
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1046)
<blockquote>Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
atomics/t1087/t1087.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1087 - Account Discovery
# T1087 - Account Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087)
<blockquote>Adversaries may attempt to get a listing of local system or domain accounts.
atomics/t1089/t1089.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1089 - Disabling Security Tools
# T1089 - Disabling Security Tools
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1089)
<blockquote>Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
atomics/t1099/t1099.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1099 - Timestomp
# T1099 - Timestomp
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1099)
<blockquote>Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)
atomics/t1105/t1105.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1105 - Remote File Copy
# T1105 - Remote File Copy
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1105)
<blockquote>Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
atomics/t1107/t1107.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1107 - File Deletion
# T1107 - File Deletion
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1107)
<blockquote>Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
atomics/t1110/t1110.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1110 - Brute Force
# T1110 - Brute Force
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110)
<blockquote>Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.
atomics/t1113/t1113.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1113 - Screen Capture
# T1113 - Screen Capture
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1113)
<blockquote>Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.
atomics/t1115/t1115.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1115 - Clipboard Data
# T1115 - Clipboard Data
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1115)
<blockquote>Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
atomics/t1117/t1117.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1117 - Regsvr32
# T1117 - Regsvr32
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1117)
<blockquote>Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)
atomics/t1123/t1123.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1123 - Audio Capture
# T1123 - Audio Capture
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1123)
<blockquote>An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
atomics/t1130/t1130.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1130 - Install Root Certificate
# T1130 - Install Root Certificate
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1130)
<blockquote>Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
atomics/t1136/t1136.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1136 - Create Account
# T1136 - Create Account
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1136)
<blockquote>Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
atomics/t1139/t1139.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1139 - Bash History
# T1139 - Bash History
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1139)
<blockquote>Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the users <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the users last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)
atomics/t1146/t1146.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1146 - Clear Command History
# T1146 - Clear Command History
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1146)
<blockquote>macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.
atomics/t1148/t1148.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1146 - Clear Command History
# T1146 - Clear Command History
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1146)
<blockquote>macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.
atomics/t1158/t1158.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1158 - Hidden Files and Directories
# T1158 - Hidden Files and Directories
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1158)
<blockquote>To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a hidden file. These files dont show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls a</code> for Linux and macOS).
atomics/t1176/t1176.md
+1 -1
View File
@@ -1,4 +1,4 @@
# T1176 - Browser Extensions
# T1176 - Browser Extensions
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1176)
<blockquote>Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access. (Citation: Wikipedia Browser Extension) (Citation: Chrome Extensions Definition)