security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-03-16 21:33:02 +00:00
parent c6788c5736
commit f1bcfda48a
13 changed files with 39 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1048/T1048.md
-9
View File
@@ -42,8 +42,6 @@ Remote to Local
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | target SSH domain | url | target.example.com|
| user_name | username for domain | string | atomic|
| password | password for user | string | atomic|
#### Attack Commands: Run with `sh`!
@@ -164,13 +162,6 @@ Exfiltration of specified file over DNS protocol.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | target DNS domain | url | ns2.example.com|
| input_file | Path to file to be exfiltrated. | Path | ./example.txt|
| output_file | Filename of the data exfiltrated. | String | received_data.txt|
#### Run it with these steps!
1. On the adversary machine run the below command.
atomics/T1055/T1055.md
+2 -2
View File
@@ -52,7 +52,7 @@ Windows 10 Utility To Inject DLLS
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to Inject | Path | PathToAtomicsFolder\T1055\src\x64\T1055.dll|
| process_id | PID of input_arguments | Int | (get-process spoolsv).id|
| process_id | PID of input_arguments | Integer | (get-process spoolsv).id|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
@@ -96,7 +96,7 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to Inject | Path | T1055.dll|
| process_id | PID of input_arguments | Int | (get-process spoolsv).id|
| process_id | PID of input_arguments | Integer | (get-process spoolsv).id|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
atomics/T1058/T1058.md
+1 -1
View File
@@ -25,7 +25,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePa
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| weak_service_name | weak service check | Registry | weakservicename|
| weak_service_name | weak service check | String | weakservicename|
#### Attack Commands: Run with `powershell`!
atomics/T1095/T1095.md
+3 -3
View File
@@ -27,7 +27,7 @@ refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-ic
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| server_ip | The IP address of the listening server | ip | 127.0.0.1|
| server_ip | The IP address of the listening server | string | 127.0.0.1|
#### Attack Commands: Run with `powershell`!
@@ -112,8 +112,8 @@ nc -l -p <port>
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| server_ip | The IP address or domain name of the listening server | ip | 127.0.0.1|
| server_port | The port for the C2 connection | port number | 80|
| server_ip | The IP address or domain name of the listening server | string | 127.0.0.1|
| server_port | The port for the C2 connection | integer | 80|
#### Attack Commands: Run with `powershell`!
atomics/T1099/T1099.md
+1 -1
View File
@@ -136,7 +136,7 @@ This technique was used by the threat actor Rocke during the compromise of Linux
```sh
touch -acmr #{reference_file_path} {target_file_path}
touch -acmr #{reference_file_path} #{target_file_path}
```
atomics/T1107/T1107.md
-5
View File
@@ -207,11 +207,6 @@ Recursively delete the temporary directory and all files contained within it usi
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| folder_to_delete | Path of folder to delete | Path | C:&#92;Windows&#92;Temp&#92;victim-files-ps|
#### Attack Commands: Run with `powershell`!
atomics/T1113/T1113.md
+3 -3
View File
@@ -41,7 +41,7 @@ Use screencapture command to collect a full desktop screenshot
```bash
screencapture
screencapture #{output_file}
```
@@ -70,7 +70,7 @@ Use screencapture command to collect a full desktop screenshot
```bash
screencapture -x
screencapture -x #{output_file}
```
@@ -129,7 +129,7 @@ Use import command to collect a full desktop screenshot
```bash
import -window root
import -window root #{output_file}
```
atomics/T1134/T1134.md
-5
View File
@@ -32,11 +32,6 @@ Requires Administrator Privileges To Execute Test
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_user | Username To Steal Token From | String | SYSTEM|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
atomics/T1136/T1136.md
-1
View File
@@ -39,7 +39,6 @@ Create a user via useradd
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of the user to create | String | evil_user|
| comment | Comment to record when creating the user | String | Evil Account|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
atomics/T1143/T1143.md
-1
View File
@@ -28,7 +28,6 @@ Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe|
| powershell_process_name | Name of the created process | string | calc|
#### Attack Commands: Run with `powershell`!
atomics/T1170/T1170.md
+2 -2
View File
@@ -62,14 +62,14 @@ Tests execution of a local program by a VBScript file called by Mshta
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| local_file | Create a local VBScript file | path | C:&#92;Temp&#92;mshta_notepad.vbs|
| local_file_path | Create a local VBScript file | path | C:&#92;Temp&#92;mshta_notepad.vbs|
#### Attack Commands: Run with `command_prompt`!
```cmd
mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)")
mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)")
```
atomics/T1500/T1500.md
+2 -2
View File
@@ -23,8 +23,8 @@ Compile C# code using csc.exe binary used by .NET
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | C# code that launches calc.exe from a hidden cmd.exe Window | file | PathToAtomicsFolder&#92;T1500&#92;src&#92;calc.cs|
| output_file | Output compiled binary | file | C:&#92;Windows&#92;Temp&#92;T1500.exe|
| input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder&#92;T1500&#92;src&#92;calc.cs|
| output_file | Output compiled binary | Path | C:&#92;Windows&#92;Temp&#92;T1500.exe|
#### Attack Commands: Run with `command_prompt`!
atomics/index.yaml
+25 -63
View File
@@ -1131,10 +1131,6 @@ persistence:
description: Username of the user to create
type: String
default: evil_user
comment:
description: Comment to record when creating the user
type: String
default: Evil Account
executor:
name: bash
elevation_required: true
@@ -4355,7 +4351,7 @@ persistence:
input_arguments:
weak_service_name:
description: weak service check
type: Registry
type: String
default: weakservicename
executor:
name: powershell
@@ -5338,11 +5334,6 @@ defense-evasion:
Requires Administrator Privileges To Execute Test
supported_platforms:
- windows
input_arguments:
target_user:
description: Username To Steal Token From
type: String
default: SYSTEM
executor:
name: powershell
elevation_required: true
@@ -6201,11 +6192,11 @@ defense-evasion:
input_arguments:
input_file:
description: C# code that launches calc.exe from a hidden cmd.exe Window
type: file
type: Path
default: PathToAtomicsFolder\T1500\src\calc.cs
output_file:
description: Output compiled binary
type: file
type: Path
default: C:\Windows\Temp\T1500.exe
dependency_executor_name: powershell
dependencies:
@@ -7460,11 +7451,6 @@ defense-evasion:
'
supported_platforms:
- windows
input_arguments:
folder_to_delete:
description: Path of folder to delete
type: Path
default: C:\Windows\Temp\victim-files-ps
executor:
name: powershell
elevation_required: false
@@ -8515,10 +8501,6 @@ defense-evasion:
description: Command to launch calc.exe from a hidden PowerShell Window
type: String
default: powershell.exe -WindowStyle hidden calc.exe
powershell_process_name:
description: Name of the created process
type: string
default: calc
executor:
name: powershell
elevation_required: false
@@ -10355,13 +10337,13 @@ defense-evasion:
supported_platforms:
- windows
input_arguments:
local_file:
local_file_path:
description: Create a local VBScript file
type: path
default: C:\Temp\mshta_notepad.vbs
executor:
name: command_prompt
command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)")
command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)")
'
- name: Mshta executes VBScript to execute malicious command
@@ -11267,7 +11249,7 @@ defense-evasion:
default: PathToAtomicsFolder\T1055\src\x64\T1055.dll
process_id:
description: PID of input_arguments
type: Int
type: Integer
default: "(get-process spoolsv).id"
dependency_executor_name: powershell
dependencies:
@@ -11295,7 +11277,7 @@ defense-evasion:
default: T1055.dll
process_id:
description: PID of input_arguments
type: Int
type: Integer
default: "(get-process spoolsv).id"
executor:
name: powershell
@@ -12659,7 +12641,7 @@ defense-evasion:
default: "/opt/filename"
executor:
name: sh
command: 'touch -acmr #{reference_file_path} {target_file_path}
command: 'touch -acmr #{reference_file_path} #{target_file_path}
'
- name: Windows - Modify file creation timestamp with PowerShell
@@ -13309,11 +13291,6 @@ privilege-escalation:
Requires Administrator Privileges To Execute Test
supported_platforms:
- windows
input_arguments:
target_user:
description: Username To Steal Token From
type: String
default: SYSTEM
executor:
name: powershell
elevation_required: true
@@ -15272,7 +15249,7 @@ privilege-escalation:
default: PathToAtomicsFolder\T1055\src\x64\T1055.dll
process_id:
description: PID of input_arguments
type: Int
type: Integer
default: "(get-process spoolsv).id"
dependency_executor_name: powershell
dependencies:
@@ -15300,7 +15277,7 @@ privilege-escalation:
default: T1055.dll
process_id:
description: PID of input_arguments
type: Int
type: Integer
default: "(get-process spoolsv).id"
executor:
name: powershell
@@ -15640,7 +15617,7 @@ privilege-escalation:
input_arguments:
weak_service_name:
description: weak service check
type: Registry
type: String
default: weakservicename
executor:
name: powershell
@@ -23166,13 +23143,13 @@ execution:
supported_platforms:
- windows
input_arguments:
local_file:
local_file_path:
description: Create a local VBScript file
type: path
default: C:\Temp\mshta_notepad.vbs
executor:
name: command_prompt
command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)")
command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)")
'
- name: Mshta executes VBScript to execute malicious command
@@ -27857,7 +27834,9 @@ collection:
executor:
name: bash
elevation_required: false
command: screencapture
command: 'screencapture #{output_file}
'
- name: Screencapture (silent)
description: 'Use screencapture command to collect a full desktop screenshot
@@ -27872,7 +27851,9 @@ collection:
executor:
name: bash
elevation_required: false
command: screencapture -x
command: 'screencapture -x #{output_file}
'
- name: X Windows Capture
description: 'Use xwd command to collect a full desktop screenshot and review
file with xwud
@@ -27903,7 +27884,9 @@ collection:
default: desktop.png
executor:
name: bash
command: import -window root
command: 'import -window root #{output_file}
'
exfiltration:
'':
technique:
@@ -28441,14 +28424,6 @@ exfiltration:
description: target SSH domain
type: url
default: target.example.com
user_name:
description: username for domain
type: string
default: atomic
password:
description: password for user
type: string
default: atomic
executor:
name: sh
elevation_required: false
@@ -28536,19 +28511,6 @@ exfiltration:
'
supported_platforms:
- linux
input_arguments:
domain:
description: target DNS domain
type: url
default: ns2.example.com
input_file:
description: Path to file to be exfiltrated.
type: Path
default: "./example.txt"
output_file:
description: Filename of the data exfiltrated.
type: String
default: received_data.txt
executor:
name: manual
steps: "1. On the adversary machine run the below command.\n\n tshark -f
@@ -29620,7 +29582,7 @@ command-and-control:
input_arguments:
server_ip:
description: The IP address of the listening server
type: ip
type: string
default: 127.0.0.1
executor:
name: powershell
@@ -29677,11 +29639,11 @@ command-and-control:
input_arguments:
server_ip:
description: The IP address or domain name of the listening server
type: ip
type: string
default: 127.0.0.1
server_port:
description: The port for the C2 connection
type: port number
type: integer
default: 80
executor:
name: powershell