diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md index 5c2f36d4..0978d10f 100644 --- a/atomics/T1048/T1048.md +++ b/atomics/T1048/T1048.md @@ -42,8 +42,6 @@ Remote to Local | Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | target SSH domain | url | target.example.com| -| user_name | username for domain | string | atomic| -| password | password for user | string | atomic| #### Attack Commands: Run with `sh`! @@ -164,13 +162,6 @@ Exfiltration of specified file over DNS protocol. -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| domain | target DNS domain | url | ns2.example.com| -| input_file | Path to file to be exfiltrated. | Path | ./example.txt| -| output_file | Filename of the data exfiltrated. | String | received_data.txt| - #### Run it with these steps! 1. On the adversary machine run the below command. diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 848c84b9..073f6fea 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -52,7 +52,7 @@ Windows 10 Utility To Inject DLLS | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_payload | DLL to Inject | Path | PathToAtomicsFolder\T1055\src\x64\T1055.dll| -| process_id | PID of input_arguments | Int | (get-process spoolsv).id| +| process_id | PID of input_arguments | Integer | (get-process spoolsv).id| #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) @@ -96,7 +96,7 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/ | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_payload | DLL to Inject | Path | T1055.dll| -| process_id | PID of input_arguments | Int | (get-process spoolsv).id| +| process_id | PID of input_arguments | Integer | (get-process spoolsv).id| #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) diff --git a/atomics/T1058/T1058.md b/atomics/T1058/T1058.md index f7b6eeb2..d55b31fc 100644 --- a/atomics/T1058/T1058.md +++ b/atomics/T1058/T1058.md @@ -25,7 +25,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePa #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| weak_service_name | weak service check | Registry | weakservicename| +| weak_service_name | weak service check | String | weakservicename| #### Attack Commands: Run with `powershell`! diff --git a/atomics/T1095/T1095.md b/atomics/T1095/T1095.md index 22b00ca1..f5a66b40 100644 --- a/atomics/T1095/T1095.md +++ b/atomics/T1095/T1095.md @@ -27,7 +27,7 @@ refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-ic #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| server_ip | The IP address of the listening server | ip | 127.0.0.1| +| server_ip | The IP address of the listening server | string | 127.0.0.1| #### Attack Commands: Run with `powershell`! @@ -112,8 +112,8 @@ nc -l -p #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| server_ip | The IP address or domain name of the listening server | ip | 127.0.0.1| -| server_port | The port for the C2 connection | port number | 80| +| server_ip | The IP address or domain name of the listening server | string | 127.0.0.1| +| server_port | The port for the C2 connection | integer | 80| #### Attack Commands: Run with `powershell`! diff --git a/atomics/T1099/T1099.md b/atomics/T1099/T1099.md index 9b20829d..555d7541 100644 --- a/atomics/T1099/T1099.md +++ b/atomics/T1099/T1099.md @@ -136,7 +136,7 @@ This technique was used by the threat actor Rocke during the compromise of Linux ```sh -touch -acmr #{reference_file_path} {target_file_path} +touch -acmr #{reference_file_path} #{target_file_path} ``` diff --git a/atomics/T1107/T1107.md b/atomics/T1107/T1107.md index f3d246d1..d612a345 100644 --- a/atomics/T1107/T1107.md +++ b/atomics/T1107/T1107.md @@ -207,11 +207,6 @@ Recursively delete the temporary directory and all files contained within it usi -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-ps| - #### Attack Commands: Run with `powershell`! diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md index ae214f96..0a882b64 100644 --- a/atomics/T1113/T1113.md +++ b/atomics/T1113/T1113.md @@ -41,7 +41,7 @@ Use screencapture command to collect a full desktop screenshot ```bash -screencapture +screencapture #{output_file} ``` @@ -70,7 +70,7 @@ Use screencapture command to collect a full desktop screenshot ```bash -screencapture -x +screencapture -x #{output_file} ``` @@ -129,7 +129,7 @@ Use import command to collect a full desktop screenshot ```bash -import -window root +import -window root #{output_file} ``` diff --git a/atomics/T1134/T1134.md b/atomics/T1134/T1134.md index 4d3b9f7e..dba05def 100644 --- a/atomics/T1134/T1134.md +++ b/atomics/T1134/T1134.md @@ -32,11 +32,6 @@ Requires Administrator Privileges To Execute Test -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| target_user | Username To Steal Token From | String | SYSTEM| - #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) diff --git a/atomics/T1136/T1136.md b/atomics/T1136/T1136.md index 28b1026c..8ed767c4 100644 --- a/atomics/T1136/T1136.md +++ b/atomics/T1136/T1136.md @@ -39,7 +39,6 @@ Create a user via useradd | Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of the user to create | String | evil_user| -| comment | Comment to record when creating the user | String | Evil Account| #### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) diff --git a/atomics/T1143/T1143.md b/atomics/T1143/T1143.md index dfbec042..45a02ff4 100644 --- a/atomics/T1143/T1143.md +++ b/atomics/T1143/T1143.md @@ -28,7 +28,6 @@ Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell | Name | Description | Type | Default Value | |------|-------------|------|---------------| | powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe| -| powershell_process_name | Name of the created process | string | calc| #### Attack Commands: Run with `powershell`! diff --git a/atomics/T1170/T1170.md b/atomics/T1170/T1170.md index 920b8768..9fe55152 100644 --- a/atomics/T1170/T1170.md +++ b/atomics/T1170/T1170.md @@ -62,14 +62,14 @@ Tests execution of a local program by a VBScript file called by Mshta #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| local_file | Create a local VBScript file | path | C:\Temp\mshta_notepad.vbs| +| local_file_path | Create a local VBScript file | path | C:\Temp\mshta_notepad.vbs| #### Attack Commands: Run with `command_prompt`! ```cmd -mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)") +mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)") ``` diff --git a/atomics/T1500/T1500.md b/atomics/T1500/T1500.md index 3f85c63a..6ac71e90 100644 --- a/atomics/T1500/T1500.md +++ b/atomics/T1500/T1500.md @@ -23,8 +23,8 @@ Compile C# code using csc.exe binary used by .NET #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| input_file | C# code that launches calc.exe from a hidden cmd.exe Window | file | PathToAtomicsFolder\T1500\src\calc.cs| -| output_file | Output compiled binary | file | C:\Windows\Temp\T1500.exe| +| input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder\T1500\src\calc.cs| +| output_file | Output compiled binary | Path | C:\Windows\Temp\T1500.exe| #### Attack Commands: Run with `command_prompt`! diff --git a/atomics/index.yaml b/atomics/index.yaml index 06c8e0da..91a8a302 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -1131,10 +1131,6 @@ persistence: description: Username of the user to create type: String default: evil_user - comment: - description: Comment to record when creating the user - type: String - default: Evil Account executor: name: bash elevation_required: true @@ -4355,7 +4351,7 @@ persistence: input_arguments: weak_service_name: description: weak service check - type: Registry + type: String default: weakservicename executor: name: powershell @@ -5338,11 +5334,6 @@ defense-evasion: Requires Administrator Privileges To Execute Test supported_platforms: - windows - input_arguments: - target_user: - description: Username To Steal Token From - type: String - default: SYSTEM executor: name: powershell elevation_required: true @@ -6201,11 +6192,11 @@ defense-evasion: input_arguments: input_file: description: C# code that launches calc.exe from a hidden cmd.exe Window - type: file + type: Path default: PathToAtomicsFolder\T1500\src\calc.cs output_file: description: Output compiled binary - type: file + type: Path default: C:\Windows\Temp\T1500.exe dependency_executor_name: powershell dependencies: @@ -7460,11 +7451,6 @@ defense-evasion: ' supported_platforms: - windows - input_arguments: - folder_to_delete: - description: Path of folder to delete - type: Path - default: C:\Windows\Temp\victim-files-ps executor: name: powershell elevation_required: false @@ -8515,10 +8501,6 @@ defense-evasion: description: Command to launch calc.exe from a hidden PowerShell Window type: String default: powershell.exe -WindowStyle hidden calc.exe - powershell_process_name: - description: Name of the created process - type: string - default: calc executor: name: powershell elevation_required: false @@ -10355,13 +10337,13 @@ defense-evasion: supported_platforms: - windows input_arguments: - local_file: + local_file_path: description: Create a local VBScript file type: path default: C:\Temp\mshta_notepad.vbs executor: name: command_prompt - command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)") + command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)") ' - name: Mshta executes VBScript to execute malicious command @@ -11267,7 +11249,7 @@ defense-evasion: default: PathToAtomicsFolder\T1055\src\x64\T1055.dll process_id: description: PID of input_arguments - type: Int + type: Integer default: "(get-process spoolsv).id" dependency_executor_name: powershell dependencies: @@ -11295,7 +11277,7 @@ defense-evasion: default: T1055.dll process_id: description: PID of input_arguments - type: Int + type: Integer default: "(get-process spoolsv).id" executor: name: powershell @@ -12659,7 +12641,7 @@ defense-evasion: default: "/opt/filename" executor: name: sh - command: 'touch -acmr #{reference_file_path} {target_file_path} + command: 'touch -acmr #{reference_file_path} #{target_file_path} ' - name: Windows - Modify file creation timestamp with PowerShell @@ -13309,11 +13291,6 @@ privilege-escalation: Requires Administrator Privileges To Execute Test supported_platforms: - windows - input_arguments: - target_user: - description: Username To Steal Token From - type: String - default: SYSTEM executor: name: powershell elevation_required: true @@ -15272,7 +15249,7 @@ privilege-escalation: default: PathToAtomicsFolder\T1055\src\x64\T1055.dll process_id: description: PID of input_arguments - type: Int + type: Integer default: "(get-process spoolsv).id" dependency_executor_name: powershell dependencies: @@ -15300,7 +15277,7 @@ privilege-escalation: default: T1055.dll process_id: description: PID of input_arguments - type: Int + type: Integer default: "(get-process spoolsv).id" executor: name: powershell @@ -15640,7 +15617,7 @@ privilege-escalation: input_arguments: weak_service_name: description: weak service check - type: Registry + type: String default: weakservicename executor: name: powershell @@ -23166,13 +23143,13 @@ execution: supported_platforms: - windows input_arguments: - local_file: + local_file_path: description: Create a local VBScript file type: path default: C:\Temp\mshta_notepad.vbs executor: name: command_prompt - command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)") + command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)") ' - name: Mshta executes VBScript to execute malicious command @@ -27857,7 +27834,9 @@ collection: executor: name: bash elevation_required: false - command: screencapture + command: 'screencapture #{output_file} + +' - name: Screencapture (silent) description: 'Use screencapture command to collect a full desktop screenshot @@ -27872,7 +27851,9 @@ collection: executor: name: bash elevation_required: false - command: screencapture -x + command: 'screencapture -x #{output_file} + +' - name: X Windows Capture description: 'Use xwd command to collect a full desktop screenshot and review file with xwud @@ -27903,7 +27884,9 @@ collection: default: desktop.png executor: name: bash - command: import -window root + command: 'import -window root #{output_file} + +' exfiltration: '': technique: @@ -28441,14 +28424,6 @@ exfiltration: description: target SSH domain type: url default: target.example.com - user_name: - description: username for domain - type: string - default: atomic - password: - description: password for user - type: string - default: atomic executor: name: sh elevation_required: false @@ -28536,19 +28511,6 @@ exfiltration: ' supported_platforms: - linux - input_arguments: - domain: - description: target DNS domain - type: url - default: ns2.example.com - input_file: - description: Path to file to be exfiltrated. - type: Path - default: "./example.txt" - output_file: - description: Filename of the data exfiltrated. - type: String - default: received_data.txt executor: name: manual steps: "1. On the adversary machine run the below command.\n\n tshark -f @@ -29620,7 +29582,7 @@ command-and-control: input_arguments: server_ip: description: The IP address of the listening server - type: ip + type: string default: 127.0.0.1 executor: name: powershell @@ -29677,11 +29639,11 @@ command-and-control: input_arguments: server_ip: description: The IP address or domain name of the listening server - type: ip + type: string default: 127.0.0.1 server_port: description: The port for the C2 connection - type: port number + type: integer default: 80 executor: name: powershell