security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2023-12-04 18:31:49 +00:00
parent d46b0d874e
commit e6fb2beca0
9 changed files with 77 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -297,6 +297,7 @@ defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37
defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
297 defense-evasion T1112 Modify Registry 58 Modify Internet Zone Protocol Defaults in Current User Registry - cmd c88ef166-50fa-40d5-a80c-e2b87d4180f7 command_prompt
298 defense-evasion T1112 Modify Registry 59 Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell b1a4d687-ba52-4057-81ab-757c3dc0d3b5 powershell
299 defense-evasion T1112 Modify Registry 60 Activities To Disable Secondary Authentication Detected By Modified Registry Value. c26fb85a-fa50-4fab-a64a-c51f5dc538d5 command_prompt
300 defense-evasion T1112 Modify Registry 61 Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. ffeddced-bb9f-49c6-97f0-3d07a509bf94 command_prompt
301 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
302 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
303 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 2 Pad Binary to Change Hash using truncate command - Linux/macOS e22a9e89-69c7-410f-a473-e6c212cd2292 sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -202,6 +202,7 @@ defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37
defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
202 defense-evasion T1112 Modify Registry 58 Modify Internet Zone Protocol Defaults in Current User Registry - cmd c88ef166-50fa-40d5-a80c-e2b87d4180f7 command_prompt
203 defense-evasion T1112 Modify Registry 59 Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell b1a4d687-ba52-4057-81ab-757c3dc0d3b5 powershell
204 defense-evasion T1112 Modify Registry 60 Activities To Disable Secondary Authentication Detected By Modified Registry Value. c26fb85a-fa50-4fab-a64a-c51f5dc538d5 command_prompt
205 defense-evasion T1112 Modify Registry 61 Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. ffeddced-bb9f-49c6-97f0-3d07a509bf94 command_prompt
206 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
207 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
208 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -366,6 +366,7 @@
- Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
- Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
- Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
- Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -257,6 +257,7 @@
- Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
- Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
- Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
- Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/index.yaml
+18
View File
@@ -12942,6 +12942,24 @@ defense-evasion:
cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor"
/v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
'
name: command_prompt
- name: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication
Detected By Modified Registry Value.
auto_generated_guid: ffeddced-bb9f-49c6-97f0-3d07a509bf94
description: |
Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon"
/t REG_DWORD /d 0 /f
'
cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon"
/t REG_DWORD /d 1 /f
'
name: command_prompt
T1574.008:
atomics/Indexes/windows-index.yaml
+18
View File
@@ -10367,6 +10367,24 @@ defense-evasion:
cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor"
/v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
'
name: command_prompt
- name: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication
Detected By Modified Registry Value.
auto_generated_guid: ffeddced-bb9f-49c6-97f0-3d07a509bf94
description: |
Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon"
/t REG_DWORD /d 0 /f
'
cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon"
/t REG_DWORD /d 1 /f
'
name: command_prompt
T1574.008:
atomics/T1112/T1112.md
+35
View File
@@ -130,6 +130,8 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #60 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.](#atomic-test-60---activities-to-disable-secondary-authentication-detected-by-modified-registry-value)
- [Atomic Test #61 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.](#atomic-test-61---activities-to-disable-microsoft-fido-aka-fast-identity-online-authentication-detected-by-modified-registry-value)
<br/>
@@ -2233,4 +2235,37 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "All
<br/>
<br/>
## Atomic Test #61 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
**Supported Platforms:** Windows
**auto_generated_guid:** ffeddced-bb9f-49c6-97f0-3d07a509bf94
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 1 /f
```
<br/>