security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2024-08-03 01:17:47 +00:00
parent d27673ede6
commit e6469976ec
12 changed files with 112 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1623-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1624-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+2
View File
@@ -853,6 +853,7 @@ privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
privilege-escalation,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
privilege-escalation,T1546,Event Triggered Execution,6,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
@@ -1215,6 +1216,7 @@ persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandPr
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
persistence,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
persistence,T1546,Event Triggered Execution,6,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
853 privilege-escalation T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
854 privilege-escalation T1546 Event Triggered Execution 4 WMI Invoke-CimMethod Start Process adae83d3-0df6-45e7-b2c3-575f91584577 powershell
855 privilege-escalation T1546 Event Triggered Execution 5 Adding custom debugger for Windows Error Reporting 17d1a3cc-3373-495a-857a-e5dd005fb302 command_prompt
856 privilege-escalation T1546 Event Triggered Execution 6 Persistence using automatic execution of custom DLL during RDP session b7fc4c3f-fe6e-479a-ba27-ef91b88536e3 command_prompt
857 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
858 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
859 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 3 Add command to .shrc 41502021-591a-4649-8b6e-83c9192aff53 sh
1216 persistence T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
1217 persistence T1546 Event Triggered Execution 4 WMI Invoke-CimMethod Start Process adae83d3-0df6-45e7-b2c3-575f91584577 powershell
1218 persistence T1546 Event Triggered Execution 5 Adding custom debugger for Windows Error Reporting 17d1a3cc-3373-495a-857a-e5dd005fb302 command_prompt
1219 persistence T1546 Event Triggered Execution 6 Persistence using automatic execution of custom DLL during RDP session b7fc4c3f-fe6e-479a-ba27-ef91b88536e3 command_prompt
1220 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
1221 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
1222 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 3 Add command to .shrc 41502021-591a-4649-8b6e-83c9192aff53 sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+2
View File
@@ -595,6 +595,7 @@ privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
privilege-escalation,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
privilege-escalation,T1546,Event Triggered Execution,6,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -831,6 +832,7 @@ persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandPr
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
persistence,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
persistence,T1546,Event Triggered Execution,6,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
595 privilege-escalation T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
596 privilege-escalation T1546 Event Triggered Execution 4 WMI Invoke-CimMethod Start Process adae83d3-0df6-45e7-b2c3-575f91584577 powershell
597 privilege-escalation T1546 Event Triggered Execution 5 Adding custom debugger for Windows Error Reporting 17d1a3cc-3373-495a-857a-e5dd005fb302 command_prompt
598 privilege-escalation T1546 Event Triggered Execution 6 Persistence using automatic execution of custom DLL during RDP session b7fc4c3f-fe6e-479a-ba27-ef91b88536e3 command_prompt
599 privilege-escalation T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
600 privilege-escalation T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
601 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
832 persistence T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
833 persistence T1546 Event Triggered Execution 4 WMI Invoke-CimMethod Start Process adae83d3-0df6-45e7-b2c3-575f91584577 powershell
834 persistence T1546 Event Triggered Execution 5 Adding custom debugger for Windows Error Reporting 17d1a3cc-3373-495a-857a-e5dd005fb302 command_prompt
835 persistence T1546 Event Triggered Execution 6 Persistence using automatic execution of custom DLL during RDP session b7fc4c3f-fe6e-479a-ba27-ef91b88536e3 command_prompt
836 persistence T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
837 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
838 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
atomics/Indexes/Indexes-Markdown/index.md
+2
View File
@@ -1126,6 +1126,7 @@
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
- Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
- Atomic Test #6: Persistence using automatic execution of custom DLL during RDP session [windows]
- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1645,6 +1646,7 @@
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
- Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
- Atomic Test #6: Persistence using automatic execution of custom DLL during RDP session [windows]
- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
atomics/Indexes/Indexes-Markdown/windows-index.md
+2
View File
@@ -803,6 +803,7 @@
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
- Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
- Atomic Test #6: Persistence using automatic execution of custom DLL during RDP session [windows]
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
@@ -1148,6 +1149,7 @@
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
- Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
- Atomic Test #6: Persistence using automatic execution of custom DLL during RDP session [windows]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
atomics/Indexes/index.yaml
+32
View File
@@ -45290,6 +45290,22 @@ privilege-escalation:
'
name: command_prompt
elevation_required: true
- name: Persistence using automatic execution of custom DLL during RDP session
auto_generated_guid: b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
description: "When remote desktop session is accepted, the system queries the
key it queries the Registry key:HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal
Server\\AddIns\\TestDVCPlugin. \nIf such key exists, the OS will attempt to
read the Path value underneath.Once the Path is read, the DLL that it points
to will be loaded via LoadLibrary."
supported_platforms:
- windows
executor:
command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin"
/v Path /t REG_SZ /d "C:\Windows\System32\amsi.dll" /f
cleanup_command: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\AddIns\TestDVCPlugin" /f
name: command_prompt
elevation_required: true
T1546.004:
technique:
x_mitre_platforms:
@@ -69044,6 +69060,22 @@ persistence:
'
name: command_prompt
elevation_required: true
- name: Persistence using automatic execution of custom DLL during RDP session
auto_generated_guid: b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
description: "When remote desktop session is accepted, the system queries the
key it queries the Registry key:HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal
Server\\AddIns\\TestDVCPlugin. \nIf such key exists, the OS will attempt to
read the Path value underneath.Once the Path is read, the DLL that it points
to will be loaded via LoadLibrary."
supported_platforms:
- windows
executor:
command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin"
/v Path /t REG_SZ /d "C:\Windows\System32\amsi.dll" /f
cleanup_command: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\AddIns\TestDVCPlugin" /f
name: command_prompt
elevation_required: true
T1546.004:
technique:
x_mitre_platforms:
atomics/Indexes/windows-index.yaml
+32
View File
@@ -37695,6 +37695,22 @@ privilege-escalation:
'
name: command_prompt
elevation_required: true
- name: Persistence using automatic execution of custom DLL during RDP session
auto_generated_guid: b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
description: "When remote desktop session is accepted, the system queries the
key it queries the Registry key:HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal
Server\\AddIns\\TestDVCPlugin. \nIf such key exists, the OS will attempt to
read the Path value underneath.Once the Path is read, the DLL that it points
to will be loaded via LoadLibrary."
supported_platforms:
- windows
executor:
command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin"
/v Path /t REG_SZ /d "C:\Windows\System32\amsi.dll" /f
cleanup_command: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\AddIns\TestDVCPlugin" /f
name: command_prompt
elevation_required: true
T1546.004:
technique:
x_mitre_platforms:
@@ -57147,6 +57163,22 @@ persistence:
'
name: command_prompt
elevation_required: true
- name: Persistence using automatic execution of custom DLL during RDP session
auto_generated_guid: b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
description: "When remote desktop session is accepted, the system queries the
key it queries the Registry key:HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal
Server\\AddIns\\TestDVCPlugin. \nIf such key exists, the OS will attempt to
read the Path value underneath.Once the Path is read, the DLL that it points
to will be loaded via LoadLibrary."
supported_platforms:
- windows
executor:
command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin"
/v Path /t REG_SZ /d "C:\Windows\System32\amsi.dll" /f
cleanup_command: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\AddIns\TestDVCPlugin" /f
name: command_prompt
elevation_required: true
T1546.004:
technique:
x_mitre_platforms:
atomics/T1546/T1546.md
+35
View File
@@ -18,6 +18,8 @@ Since the execution can be proxied by an account with higher permissions, such a
- [Atomic Test #5 - Adding custom debugger for Windows Error Reporting](#atomic-test-5---adding-custom-debugger-for-windows-error-reporting)
- [Atomic Test #6 - Persistence using automatic execution of custom DLL during RDP session](#atomic-test-6---persistence-using-automatic-execution-of-custom-dll-during-rdp-session)
<br/>
@@ -240,4 +242,37 @@ reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs" /v De
<br/>
<br/>
## Atomic Test #6 - Persistence using automatic execution of custom DLL during RDP session
When remote desktop session is accepted, the system queries the key it queries the Registry key:HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin.
If such key exists, the OS will attempt to read the Path value underneath.Once the Path is read, the DLL that it points to will be loaded via LoadLibrary.
**Supported Platforms:** Windows
**auto_generated_guid:** b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /v Path /t REG_SZ /d "C:\Windows\System32\amsi.dll" /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /f
```
<br/>
atomics/T1546/T1546.yaml
+1
View File
@@ -136,6 +136,7 @@ atomic_tests:
name: command_prompt
elevation_required: true
- name: Persistence using automatic execution of custom DLL during RDP session
auto_generated_guid: b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
description: |-
When remote desktop session is accepted, the system queries the key it queries the Registry key:HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin.
If such key exists, the OS will attempt to read the Path value underneath.Once the Path is read, the DLL that it points to will be loaded via LoadLibrary.
atomics/used_guids.txt
+1
View File
@@ -1662,3 +1662,4 @@ cfe6315c-4945-40f7-b5a4-48f7af2262af
7125eba8-7b30-426b-9147-781d152be6fb
bcd4c2bc-490b-4f91-bd31-3709fe75bbdf
ab4d04af-68dc-4fee-9c16-6545265b3276
b7fc4c3f-fe6e-479a-ba27-ef91b88536e3