security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2023-03-20 22:21:10 +00:00
parent 8c4cb3229c
commit e9ea0880cb
9 changed files with 78 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1336,6 +1336,7 @@ discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1336 discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
1337 discovery T1057 Process Discovery 4 Process Discovery - get-wmiObject b51239b4-0129-474f-a2b4-70f855b9f2c2 powershell
1338 discovery T1057 Process Discovery 5 Process Discovery - wmic process 640cbf6d-659b-498b-ba53-f6dd1a1cc02c command_prompt
1339 discovery T1057 Process Discovery 6 Discover Specific Process - tasklist 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb command_prompt
1340 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
1341 discovery T1069.001 Permission Groups Discovery: Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
1342 discovery T1069.001 Permission Groups Discovery: Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -939,6 +939,7 @@ discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
939 discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
940 discovery T1057 Process Discovery 4 Process Discovery - get-wmiObject b51239b4-0129-474f-a2b4-70f855b9f2c2 powershell
941 discovery T1057 Process Discovery 5 Process Discovery - wmic process 640cbf6d-659b-498b-ba53-f6dd1a1cc02c command_prompt
942 discovery T1057 Process Discovery 6 Discover Specific Process - tasklist 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb command_prompt
943 discovery T1069.001 Permission Groups Discovery: Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
944 discovery T1069.001 Permission Groups Discovery: Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
945 discovery T1069.001 Permission Groups Discovery: Local Groups 4 SharpHound3 - LocalAdmin e03ada14-0980-4107-aff1-7783b2b59bb1 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -2081,6 +2081,7 @@
- Atomic Test #3: Process Discovery - Get-Process [windows]
- Atomic Test #4: Process Discovery - get-wmiObject [windows]
- Atomic Test #5: Process Discovery - wmic process [windows]
- Atomic Test #6: Discover Specific Process - tasklist [windows]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1496,6 +1496,7 @@
- Atomic Test #3: Process Discovery - Get-Process [windows]
- Atomic Test #4: Process Discovery - get-wmiObject [windows]
- Atomic Test #5: Process Discovery - wmic process [windows]
- Atomic Test #6: Discover Specific Process - tasklist [windows]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
atomics/Indexes/index.yaml
+18
View File
@@ -89608,6 +89608,24 @@ discovery:
executor:
command: 'wmic process get /format:list
'
name: command_prompt
- name: Discover Specific Process - tasklist
auto_generated_guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
description: "Adversaries may use command line tools to discover specific processes
in preparation of further attacks. \nExamples of this could be discovering
the PID of lsass.exe to dump its memory or discovering whether specific security
processes (e.g. AV or EDR) are running.\n"
supported_platforms:
- windows
input_arguments:
process_to_enumerate:
description: Process name string to search for.
type: string
default: lsass
executor:
command: 'tasklist | findstr #{process_to_enumerate}
'
name: command_prompt
T1497.002:
atomics/Indexes/windows-index.yaml
+18
View File
@@ -77540,6 +77540,24 @@ discovery:
executor:
command: 'wmic process get /format:list
'
name: command_prompt
- name: Discover Specific Process - tasklist
auto_generated_guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
description: "Adversaries may use command line tools to discover specific processes
in preparation of further attacks. \nExamples of this could be discovering
the PID of lsass.exe to dump its memory or discovering whether specific security
processes (e.g. AV or EDR) are running.\n"
supported_platforms:
- windows
input_arguments:
process_to_enumerate:
description: Process name string to search for.
type: string
default: lsass
executor:
command: 'tasklist | findstr #{process_to_enumerate}
'
name: command_prompt
T1497.002:
atomics/T1057/T1057.md
+36
View File
@@ -16,6 +16,8 @@ In Windows environments, adversaries could obtain details on running processes u
- [Atomic Test #5 - Process Discovery - wmic process](#atomic-test-5---process-discovery---wmic-process)
- [Atomic Test #6 - Discover Specific Process - tasklist](#atomic-test-6---discover-specific-process---tasklist)
<br/>
@@ -176,4 +178,38 @@ wmic process get /format:list
<br/>
<br/>
## Atomic Test #6 - Discover Specific Process - tasklist
Adversaries may use command line tools to discover specific processes in preparation of further attacks.
Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running.
**Supported Platforms:** Windows
**auto_generated_guid:** 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_to_enumerate | Process name string to search for. | string | lsass|
#### Attack Commands: Run with `command_prompt`!
```cmd
tasklist | findstr #{process_to_enumerate}
```
<br/>