Generate docs from job=validate_atomics_generate_docs branch=master
This commit is contained in:
CircleCI Atomic Red Team doc generator
parent
7c4a0fd25e
commit
f59bb10f9f
File diff suppressed because one or more lines are too long
@@ -466,6 +466,7 @@ discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Lo
|
||||
discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
|
||||
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
|
||||
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
|
||||
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
|
||||
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
|
||||
discovery,T1135,Network Share Discovery,2,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
|
||||
discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
|
||||
|
||||
|
@@ -283,6 +283,7 @@ discovery,T1087.001,Local Account,10,Enumerate logged on users via CMD (Local),a
|
||||
discovery,T1087.001,Local Account,11,Enumerate logged on users via PowerShell,2bdc42c7-8907-40c2-9c2b-42919a00fe03,powershell
|
||||
discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
|
||||
discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
|
||||
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
|
||||
discovery,T1135,Network Share Discovery,2,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
|
||||
discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
|
||||
discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
|
||||
|
||||
|
@@ -872,6 +872,7 @@
|
||||
- [T1046 Network Service Scanning](../../T1046/T1046.md)
|
||||
- Atomic Test #1: Port Scan [linux, macos]
|
||||
- Atomic Test #2: Port Scan Nmap [linux, macos]
|
||||
- Atomic Test #3: Port Scan NMap for Windows [windows]
|
||||
- [T1135 Network Share Discovery](../../T1135/T1135.md)
|
||||
- Atomic Test #1: Network Share Discovery [macos, linux]
|
||||
- Atomic Test #2: Network Share Discovery command prompt [windows]
|
||||
|
||||
@@ -564,7 +564,8 @@
|
||||
- [T1069.001 Local Groups](../../T1069.001/T1069.001.md)
|
||||
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
|
||||
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
|
||||
- T1046 Network Service Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1046 Network Service Scanning](../../T1046/T1046.md)
|
||||
- Atomic Test #3: Port Scan NMap for Windows [windows]
|
||||
- [T1135 Network Share Discovery](../../T1135/T1135.md)
|
||||
- Atomic Test #2: Network Share Discovery command prompt [windows]
|
||||
- Atomic Test #3: Network Share Discovery PowerShell [windows]
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | RDP Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1551.001/T1551.001.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Service Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Control Panel](../../T1218.002/T1218.002.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
|
||||
@@ -36597,6 +36597,33 @@ discovery:
|
||||
telnet #{host} #{port}
|
||||
nc -nv #{host} #{port}
|
||||
name: sh
|
||||
- name: Port Scan NMap for Windows
|
||||
auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
|
||||
description: Scan ports to check for listening ports for the local host 127.0.0.1
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
file_name:
|
||||
description: defining NMap install exe
|
||||
type: path
|
||||
default: "$env:temp\\nmap-7.80-setup.exe"
|
||||
nmap_url:
|
||||
description: defining nmap download url
|
||||
type: url
|
||||
default: https://nmap.org/dist/nmap-7.80-setup.exe
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'NMap must be installed at #{file_name}'
|
||||
prereq_command: if (cmd /c "where nmap >nul 2>&1") {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
Invoke-WebRequest -OutFile "#{file_name}" #{nmap_url}
|
||||
Start-Process #{file_name} /S
|
||||
executor:
|
||||
command: nmap 127.0.0.1
|
||||
cleanup_command: "try {Start-Process 'C:\\Program Files (x86)\\Nmap\\Uninstall.exe'
|
||||
\"/S\"} catch{} \nRemove-Item #{file_name} -erroraction ignore"
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
T1135:
|
||||
technique:
|
||||
id: attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f
|
||||
|
||||
@@ -10,6 +10,8 @@ Within cloud environments, adversaries may attempt to discover services running
|
||||
|
||||
- [Atomic Test #2 - Port Scan Nmap](#atomic-test-2---port-scan-nmap)
|
||||
|
||||
- [Atomic Test #3 - Port Scan NMap for Windows](#atomic-test-3---port-scan-nmap-for-windows)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -86,4 +88,51 @@ echo "Install nmap on the machine to run the test."; exit 1;
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Port Scan NMap for Windows
|
||||
Scan ports to check for listening ports for the local host 127.0.0.1
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| file_name | defining NMap install exe | path | $env:temp\nmap-7.80-setup.exe|
|
||||
| nmap_url | defining nmap download url | url | https://nmap.org/dist/nmap-7.80-setup.exe|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
nmap 127.0.0.1
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
try {Start-Process 'C:\Program Files (x86)\Nmap\Uninstall.exe' "/S"} catch{}
|
||||
Remove-Item #{file_name} -erroraction ignore
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: NMap must be installed at #{file_name}
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
Invoke-WebRequest -OutFile "#{file_name}" #{nmap_url}
|
||||
Start-Process #{file_name} /S
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -54,6 +54,7 @@ atomic_tests:
|
||||
nc -nv #{host} #{port}
|
||||
name: sh
|
||||
- name: Port Scan NMap for Windows
|
||||
auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
|
||||
description: Scan ports to check for listening ports for the local host 127.0.0.1
|
||||
supported_platforms:
|
||||
- windows
|
||||
|
||||
@@ -550,3 +550,4 @@ d9841bf8-f161-4c73-81e9-fd773a5ff8c1
|
||||
a123ce6a-3916-45d6-ba9c-7d4081315c27
|
||||
a90c2f4d-6726-444e-99d2-a00cd7c20480
|
||||
43f71395-6c37-498e-ab17-897d814a0947
|
||||
d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
|
||||
|
||||
Reference in New Issue
Block a user