security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2024-07-10 15:06:29 +00:00
parent 39c0efe2d5
commit f30eae885f
12 changed files with 88 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1598-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1599-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1344,6 +1344,7 @@ collection,T1113,Screen Capture,5,Capture Linux Desktop using Import Tool,9cd1cc
collection,T1113,Screen Capture,6,Capture Linux Desktop using Import Tool (freebsd),18397d87-38aa-4443-a098-8a48a8ca5d8d,sh
collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1344 collection T1113 Screen Capture 6 Capture Linux Desktop using Import Tool (freebsd) 18397d87-38aa-4443-a098-8a48a8ca5d8d sh
1345 collection T1113 Screen Capture 7 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
1346 collection T1113 Screen Capture 8 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
1347 collection T1113 Screen Capture 9 Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted 5a496325-0115-4274-8eb9-755b649ad0fb powershell
1348 collection T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
1349 collection T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
1350 collection T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -897,6 +897,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data
collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
897 collection T1560.001 Archive Collected Data: Archive via Utility 10 ESXi - Remove Syslog remote IP 36c62584-d360-41d6-886f-d194654be7c2 powershell
898 collection T1113 Screen Capture 7 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
899 collection T1113 Screen Capture 8 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
900 collection T1113 Screen Capture 9 Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted 5a496325-0115-4274-8eb9-755b649ad0fb powershell
901 collection T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
902 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
903 collection T1123 Audio Capture 2 Registry artefact when application use microphone 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1858,6 +1858,7 @@
- Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd) [linux]
- Atomic Test #7: Windows Screencapture [windows]
- Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
- Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted [windows]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1287,6 +1287,7 @@
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #7: Windows Screencapture [windows]
- Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
- Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted [windows]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
atomics/Indexes/index.yaml
+21
View File
@@ -79026,6 +79026,27 @@ collection:
'
name: powershell
- name: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
auto_generated_guid: 5a496325-0115-4274-8eb9-755b649ad0fb
description: "Detects the enabling of the Windows Recall feature via registry
manipulation. Windows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\"
registry value. Adversaries may enable Windows Recall as part of post-exploitation
discovery and collection activities. This rule assumes that Recall is already
explicitly disabled on the host, and subsequently enabled by the adversary.
\n- https://learn.microsoft.com/en-us/windows/client-management/manage-recall\n-
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis"
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f
cleanup_command: 'reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI"
/v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
'
name: powershell
elevation_required: true
T1557:
technique:
modified: '2024-04-18T14:26:21.852Z'
atomics/Indexes/windows-index.yaml
+21
View File
@@ -65059,6 +65059,27 @@ collection:
'
name: powershell
- name: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
auto_generated_guid: 5a496325-0115-4274-8eb9-755b649ad0fb
description: "Detects the enabling of the Windows Recall feature via registry
manipulation. Windows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\"
registry value. Adversaries may enable Windows Recall as part of post-exploitation
discovery and collection activities. This rule assumes that Recall is already
explicitly disabled on the host, and subsequently enabled by the adversary.
\n- https://learn.microsoft.com/en-us/windows/client-management/manage-recall\n-
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis"
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f
cleanup_command: 'reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI"
/v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
'
name: powershell
elevation_required: true
T1557:
technique:
modified: '2024-04-18T14:26:21.852Z'
atomics/T1113/T1113.md
+37
View File
@@ -21,6 +21,8 @@
- [Atomic Test #8 - Windows Screen Capture (CopyFromScreen)](#atomic-test-8---windows-screen-capture-copyfromscreen)
- [Atomic Test #9 - Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted](#atomic-test-9---windows-recall-feature-enabled---disableaidataanalysis-value-deleted)
<br/>
@@ -381,4 +383,39 @@ Remove-Item #{output_file} -ErrorAction Ignore
<br/>
<br/>
## Atomic Test #9 - Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
**Supported Platforms:** Windows
**auto_generated_guid:** 5a496325-0115-4274-8eb9-755b649ad0fb
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f
```
#### Cleanup Commands:
```powershell
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
```
<br/>
atomics/T1113/T1113.yaml
+1 -1
View File
@@ -195,7 +195,7 @@ atomic_tests:
Remove-Item #{output_file} -ErrorAction Ignore
name: powershell
- name: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
auto_generated_guid:
auto_generated_guid: 5a496325-0115-4274-8eb9-755b649ad0fb
description: |-
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
atomics/used_guids.txt
+1
View File
@@ -1637,3 +1637,4 @@ fc369906-90c7-4a15-86fd-d37da624dde6
2dfa3bff-9a27-46db-ab75-7faefdaca732
e672a340-a933-447c-954c-d68db38a09b1
6fb4c4c5-f949-4fd2-8af5-ddbc61595223
5a496325-0115-4274-8eb9-755b649ad0fb