security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2024-07-24 14:38:05 +00:00
parent 13f7dde9a3
commit f368a70546
12 changed files with 204 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1619-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1620-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+3
View File
@@ -117,6 +117,7 @@ defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,6,InstallUt
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
@@ -706,6 +707,7 @@ privilege-escalation,T1098.003,Account Manipulation: Additional Cloud Roles,1,Az
privilege-escalation,T1098.003,Account Manipulation: Additional Cloud Roles,2,Simulate - Post BEC persistence via user password reset followed by user added to company administrator role,14f3af20-61f1-45b8-ad31-4637815f3f44,powershell
privilege-escalation,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -1076,6 +1078,7 @@ persistence,T1098.003,Account Manipulation: Additional Cloud Roles,1,Azure AD -
persistence,T1098.003,Account Manipulation: Additional Cloud Roles,2,Simulate - Post BEC persistence via user password reset followed by user added to company administrator role,14f3af20-61f1-45b8-ad31-4637815f3f44,powershell
persistence,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
persistence,T1137.006,Office Application Startup: Add-ins,3,Persistent Code Execution Via Word Add-in File (WLL),95408a99-4fa7-4cd6-a7ef-cb65f86351cf,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
117 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
118 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
119 defense-evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
120 defense-evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 2 Phantom Dll Hijacking - WinAppXRT.dll 46ed938b-c617-429a-88dc-d49b5c9ffedb command_prompt
121 defense-evasion T1553.001 Subvert Trust Controls: Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
122 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
123 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
707 privilege-escalation T1098.003 Account Manipulation: Additional Cloud Roles 2 Simulate - Post BEC persistence via user password reset followed by user added to company administrator role 14f3af20-61f1-45b8-ad31-4637815f3f44 powershell
708 privilege-escalation T1547.012 Boot or Logon Autostart Execution: Print Processors 1 Print Processors f7d38f47-c61b-47cc-a59d-fc0368f47ed0 powershell
709 privilege-escalation T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
710 privilege-escalation T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 2 Phantom Dll Hijacking - WinAppXRT.dll 46ed938b-c617-429a-88dc-d49b5c9ffedb command_prompt
711 privilege-escalation T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
712 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
713 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
1078 persistence T1098.003 Account Manipulation: Additional Cloud Roles 2 Simulate - Post BEC persistence via user password reset followed by user added to company administrator role 14f3af20-61f1-45b8-ad31-4637815f3f44 powershell
1079 persistence T1547.012 Boot or Logon Autostart Execution: Print Processors 1 Print Processors f7d38f47-c61b-47cc-a59d-fc0368f47ed0 powershell
1080 persistence T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
1081 persistence T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 2 Phantom Dll Hijacking - WinAppXRT.dll 46ed938b-c617-429a-88dc-d49b5c9ffedb command_prompt
1082 persistence T1137.006 Office Application Startup: Add-ins 1 Code Executed Via Excel Add-in File (XLL) 441b1a0f-a771-428a-8af0-e99e4698cda3 powershell
1083 persistence T1137.006 Office Application Startup: Add-ins 2 Persistent Code Execution Via Excel Add-in File (XLL) 9c307886-9fef-41d5-b344-073a0f5b2f5f powershell
1084 persistence T1137.006 Office Application Startup: Add-ins 3 Persistent Code Execution Via Word Add-in File (WLL) 95408a99-4fa7-4cd6-a7ef-cb65f86351cf powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+3
View File
@@ -65,6 +65,7 @@ defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,6,InstallUt
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
@@ -492,6 +493,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,6,Modify Service to Run Arbitrary Binary (Powershell),1f896ce4-8070-4959-8a25-2658856a70c9,powershell
privilege-escalation,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -736,6 +738,7 @@ persistence,T1543.003,Create or Modify System Process: Windows Service,6,Modify
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
persistence,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
persistence,T1137.006,Office Application Startup: Add-ins,3,Persistent Code Execution Via Word Add-in File (WLL),95408a99-4fa7-4cd6-a7ef-cb65f86351cf,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
65 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
66 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
67 defense-evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
68 defense-evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 2 Phantom Dll Hijacking - WinAppXRT.dll 46ed938b-c617-429a-88dc-d49b5c9ffedb command_prompt
69 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
70 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
71 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 3 attrib - Remove read-only attribute bec1e95c-83aa-492e-ab77-60c71bbd21b0 command_prompt
493 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 6 Modify Service to Run Arbitrary Binary (Powershell) 1f896ce4-8070-4959-8a25-2658856a70c9 powershell
494 privilege-escalation T1547.012 Boot or Logon Autostart Execution: Print Processors 1 Print Processors f7d38f47-c61b-47cc-a59d-fc0368f47ed0 powershell
495 privilege-escalation T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
496 privilege-escalation T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 2 Phantom Dll Hijacking - WinAppXRT.dll 46ed938b-c617-429a-88dc-d49b5c9ffedb command_prompt
497 privilege-escalation T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
498 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
499 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
738 persistence T1137 Office Application Startup 1 Office Application Startup - Outlook as a C2 bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c command_prompt
739 persistence T1547.012 Boot or Logon Autostart Execution: Print Processors 1 Print Processors f7d38f47-c61b-47cc-a59d-fc0368f47ed0 powershell
740 persistence T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
741 persistence T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 2 Phantom Dll Hijacking - WinAppXRT.dll 46ed938b-c617-429a-88dc-d49b5c9ffedb command_prompt
742 persistence T1137.006 Office Application Startup: Add-ins 1 Code Executed Via Excel Add-in File (XLL) 441b1a0f-a771-428a-8af0-e99e4698cda3 powershell
743 persistence T1137.006 Office Application Startup: Add-ins 2 Persistent Code Execution Via Excel Add-in File (XLL) 9c307886-9fef-41d5-b344-073a0f5b2f5f powershell
744 persistence T1137.006 Office Application Startup: Add-ins 3 Persistent Code Execution Via Word Add-in File (WLL) 95408a99-4fa7-4cd6-a7ef-cb65f86351cf powershell
atomics/Indexes/Indexes-Markdown/index.md
+3
View File
@@ -153,6 +153,7 @@
- T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
- [T1553.001 Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -926,6 +927,7 @@
- Atomic Test #1: Print Processors [windows]
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.006 Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1447,6 +1449,7 @@
- Atomic Test #1: Print Processors [windows]
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
- [T1137.006 Office Application Startup: Add-ins](../../T1137.006/T1137.006.md)
- Atomic Test #1: Code Executed Via Excel Add-in File (XLL) [windows]
- Atomic Test #2: Persistent Code Execution Via Excel Add-in File (XLL) [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+3
View File
@@ -93,6 +93,7 @@
- T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
@@ -662,6 +663,7 @@
- Atomic Test #1: Print Processors [windows]
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
- T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
@@ -1009,6 +1011,7 @@
- Atomic Test #1: Print Processors [windows]
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- Atomic Test #2: Phantom Dll Hijacking - WinAppXRT.dll [windows]
- [T1137.006 Office Application Startup: Add-ins](../../T1137.006/T1137.006.md)
- Atomic Test #1: Code Executed Via Excel Add-in File (XLL) [windows]
- Atomic Test #2: Persistent Code Execution Via Excel Add-in File (XLL) [windows]
atomics/Indexes/index.yaml
+72
View File
@@ -5960,6 +5960,30 @@ defense-evasion:
del %APPDATA%\amsi.dll >nul 2>&1
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - WinAppXRT.dll
auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb
description: ".NET components (a couple of DLLs loaded anytime .NET apps are
executed) when they are loaded they look for an environment variable called
APPX_PROCESS\nSetting the environmental variable and dropping the phantom
WinAppXRT.dll in e.g. c:\\windows\\system32 (or any other location accessible
via PATH) will ensure the \nWinAppXRT.dll is loaded everytime user launches
an application using .NET.\n\nUpon successful execution, amsi.dll will be
copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied
to system32 folder for loading during execution of any .NET application.\n"
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll
name: command_prompt
elevation_required: true
T1553.001:
technique:
modified: '2022-11-08T14:00:00.188Z'
@@ -36037,6 +36061,30 @@ privilege-escalation:
del %APPDATA%\amsi.dll >nul 2>&1
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - WinAppXRT.dll
auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb
description: ".NET components (a couple of DLLs loaded anytime .NET apps are
executed) when they are loaded they look for an environment variable called
APPX_PROCESS\nSetting the environmental variable and dropping the phantom
WinAppXRT.dll in e.g. c:\\windows\\system32 (or any other location accessible
via PATH) will ensure the \nWinAppXRT.dll is loaded everytime user launches
an application using .NET.\n\nUpon successful execution, amsi.dll will be
copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied
to system32 folder for loading during execution of any .NET application.\n"
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll
name: command_prompt
elevation_required: true
T1574.014:
technique:
modified: '2024-04-18T15:03:32.158Z'
@@ -59642,6 +59690,30 @@ persistence:
del %APPDATA%\amsi.dll >nul 2>&1
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - WinAppXRT.dll
auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb
description: ".NET components (a couple of DLLs loaded anytime .NET apps are
executed) when they are loaded they look for an environment variable called
APPX_PROCESS\nSetting the environmental variable and dropping the phantom
WinAppXRT.dll in e.g. c:\\windows\\system32 (or any other location accessible
via PATH) will ensure the \nWinAppXRT.dll is loaded everytime user launches
an application using .NET.\n\nUpon successful execution, amsi.dll will be
copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied
to system32 folder for loading during execution of any .NET application.\n"
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll
name: command_prompt
elevation_required: true
T1137.006:
technique:
x_mitre_platforms:
atomics/Indexes/windows-index.yaml
+72
View File
@@ -4530,6 +4530,30 @@ defense-evasion:
del %APPDATA%\amsi.dll >nul 2>&1
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - WinAppXRT.dll
auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb
description: ".NET components (a couple of DLLs loaded anytime .NET apps are
executed) when they are loaded they look for an environment variable called
APPX_PROCESS\nSetting the environmental variable and dropping the phantom
WinAppXRT.dll in e.g. c:\\windows\\system32 (or any other location accessible
via PATH) will ensure the \nWinAppXRT.dll is loaded everytime user launches
an application using .NET.\n\nUpon successful execution, amsi.dll will be
copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied
to system32 folder for loading during execution of any .NET application.\n"
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll
name: command_prompt
elevation_required: true
T1553.001:
technique:
modified: '2022-11-08T14:00:00.188Z'
@@ -30105,6 +30129,30 @@ privilege-escalation:
del %APPDATA%\amsi.dll >nul 2>&1
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - WinAppXRT.dll
auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb
description: ".NET components (a couple of DLLs loaded anytime .NET apps are
executed) when they are loaded they look for an environment variable called
APPX_PROCESS\nSetting the environmental variable and dropping the phantom
WinAppXRT.dll in e.g. c:\\windows\\system32 (or any other location accessible
via PATH) will ensure the \nWinAppXRT.dll is loaded everytime user launches
an application using .NET.\n\nUpon successful execution, amsi.dll will be
copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied
to system32 folder for loading during execution of any .NET application.\n"
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll
name: command_prompt
elevation_required: true
T1574.014:
technique:
modified: '2024-04-18T15:03:32.158Z'
@@ -49410,6 +49458,30 @@ persistence:
del %APPDATA%\amsi.dll >nul 2>&1
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - WinAppXRT.dll
auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb
description: ".NET components (a couple of DLLs loaded anytime .NET apps are
executed) when they are loaded they look for an environment variable called
APPX_PROCESS\nSetting the environmental variable and dropping the phantom
WinAppXRT.dll in e.g. c:\\windows\\system32 (or any other location accessible
via PATH) will ensure the \nWinAppXRT.dll is loaded everytime user launches
an application using .NET.\n\nUpon successful execution, amsi.dll will be
copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied
to system32 folder for loading during execution of any .NET application.\n"
supported_platforms:
- windows
executor:
command: |
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll
name: command_prompt
elevation_required: true
T1137.006:
technique:
x_mitre_platforms:
atomics/T1574.001/T1574.001.md
+43
View File
@@ -14,6 +14,8 @@ If a search order-vulnerable program is configured to run at a higher privilege
- [Atomic Test #1 - DLL Search Order Hijacking - amsi.dll](#atomic-test-1---dll-search-order-hijacking---amsidll)
- [Atomic Test #2 - Phantom Dll Hijacking - WinAppXRT.dll](#atomic-test-2---phantom-dll-hijacking---winappxrtdll)
<br/>
@@ -52,4 +54,45 @@ del %APPDATA%\amsi.dll >nul 2>&1
<br/>
<br/>
## Atomic Test #2 - Phantom Dll Hijacking - WinAppXRT.dll
.NET components (a couple of DLLs loaded anytime .NET apps are executed) when they are loaded they look for an environment variable called APPX_PROCESS
Setting the environmental variable and dropping the phantom WinAppXRT.dll in e.g. c:\windows\system32 (or any other location accessible via PATH) will ensure the
WinAppXRT.dll is loaded everytime user launches an application using .NET.
Upon successful execution, amsi.dll will be copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied to system32 folder for loading during execution of any .NET application.
**Supported Platforms:** Windows
**auto_generated_guid:** 46ed938b-c617-429a-88dc-d49b5c9ffedb
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll
```
<br/>
atomics/T1574.001/T1574.001.yaml
+1
View File
@@ -21,6 +21,7 @@ atomic_tests:
name: command_prompt
elevation_required: true
- name: Phantom Dll Hijacking - WinAppXRT.dll
auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb
description: |
.NET components (a couple of DLLs loaded anytime .NET apps are executed) when they are loaded they look for an environment variable called APPX_PROCESS
Setting the environmental variable and dropping the phantom WinAppXRT.dll in e.g. c:\windows\system32 (or any other location accessible via PATH) will ensure the
atomics/used_guids.txt
+1
View File
@@ -1658,3 +1658,4 @@ f2915249-4485-42e2-96b7-9bf34328d497
74094120-e1f5-47c9-b162-a418a0f624d5
cfe6315c-4945-40f7-b5a4-48f7af2262af
5cb0b071-8a5a-412f-839d-116beb2ed9f7
46ed938b-c617-429a-88dc-d49b5c9ffedb