security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ATT&CK v17 changes (#3107)

Browse Source 
Thanks Hare!
This commit is contained in:
Hare Sudhan
2025-05-01 11:12:40 -04:00
committed by GitHub
parent a3b664bc85
commit f63a2ac494
10 changed files with 614016 additions and 583584 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomic_red_team/enterprise-attack.json
+613896 -583301
View File
File diff suppressed because one or more lines are too long
atomic_red_team/models.py
+2
View File
@@ -35,6 +35,7 @@ Platform = Literal[
"iaas:gcp",
"iaas:azure",
"iaas:aws",
"esxi",
]
ExecutorType = Literal["manual", "powershell", "sh", "bash", "command_prompt"]
DomainName = Annotated[
@@ -74,6 +75,7 @@ def get_supported_platform(platform: Platform):
"iaas:gcp": "GCP",
"google-workspace": "Google Workspace",
"containers": "Containers",
"esxi": "ESXi",
}
return platforms[platform]
atomics/T1574.001/T1574.001.yaml
+96 -1
View File
@@ -1,5 +1,5 @@
attack_technique: T1574.001
display_name: 'Hijack Execution Flow: DLL Search Order Hijacking'
display_name: 'Hijack Execution Flow: DLL'
atomic_tests:
- name: DLL Search Order Hijacking - amsi.dll
auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3
@@ -63,3 +63,98 @@ atomic_tests:
del %APPDATA%\ualapi.dll
name: command_prompt
elevation_required: true
- name: DLL Side-Loading using the Notepad++ GUP.exe binary
auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040
description: |
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
Upon execution, calc.exe will be opened.
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the created process
type: string
default: calculator.exe
gup_executable:
description: GUP is an open source signed binary used by Notepad++ for software updates
type: path
default: PathToAtomicsFolder\T1574.002\bin\GUP.exe
dependency_executor_name: powershell
dependencies:
- description: |
Gup.exe binary must exist on disk at specified location (#{gup_executable})
prereq_command: |
if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"
executor:
command: |
"#{gup_executable}"
cleanup_command: |
taskkill /F /IM #{process_name} >nul 2>&1
name: command_prompt
- name: DLL Side-Loading using the dotnet startup hook environment variable
auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
description: |
Utilizing the dotnet_startup_hooks environment variable, this method allows for registering a global method in an assembly that will be executed whenever a .net core application is started. This unlocks a whole range of scenarios, from injecting a profiler to tweaking a static context in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the created process
type: string
default: calculator.exe
preloader_dll:
description: library for interfacing with the dotnet framework
type: path
default: PathToAtomicsFolder\T1574.002\bin\preloader.dll
dependency_executor_name: powershell
dependencies:
- description: |
.Net SDK must be installed
prereq_command: |
if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit 0} else {exit 1}
get_prereq_command: |
winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
echo.
- description: |
preloader must exist
prereq_command: |
if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/bin/preloader.dll?raw=true" -OutFile "#{preloader_dll}"
executor:
command: |
set DOTNET_STARTUP_HOOKS="#{preloader_dll}"
dotnet -h > nul
echo.
cleanup_command: |
taskkill /F /IM #{process_name} >nul 2>&1
name: command_prompt
- name: DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
auto_generated_guid: c095ad8e-4469-4d33-be9d-6f6d1fb21585
description: |
Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load further executables embedded in modified KeyScramblerIE.dll file.
supported_platforms:
- windows
executor:
command: |-
Write-Host 1.Downloading KeyScrambler from official website to temp directory
Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe
Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory
Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait
Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp
Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe
Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup
Start-Process -FilePath $env:Temp\KeyScrambler.exe
Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker
cleanup_command: |-
Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted.
Remove-Item -Path $env:Temp\KeyScrambler_Setup.exe
Start-Process -FilePath "C:\Program Files (x86)\KeyScrambler\Uninstall.exe" -ArgumentList /S -Wait
Remove-Item -Path $env:Temp\KeyScrambler.exe
Write-Host 2.KeyScrambler cleanup completed successfully.
name: powershell
elevation_required: true
atomics/T1574.002/bin/GUP.exe → atomics/T1574.001/bin/GUP.exe
View File
atomics/T1574.002/bin/libcurl.dll → atomics/T1574.001/bin/libcurl.dll
View File
atomics/T1574.002/bin/preloader.dll → atomics/T1574.001/bin/preloader.dll
View File
atomics/T1574.002/src/libcurl.c → atomics/T1574.001/src/libcurl.c
View File
atomics/T1574.002/T1574.002.md
-178
View File
@@ -1,178 +0,0 @@
# T1574.002 - Hijack Execution Flow: DLL Side-Loading
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1574/002)
<blockquote>
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary](#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary)
- [Atomic Test #2 - DLL Side-Loading using the dotnet startup hook environment variable](#atomic-test-2---dll-side-loading-using-the-dotnet-startup-hook-environment-variable)
- [Atomic Test #3 - DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE](#atomic-test-3---dll-search-order-hijackingdll-sideloading-of-keyscrambleriedll-via-keyscramblerexe)
<br/>
## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
Upon execution, calc.exe will be opened.
**Supported Platforms:** Windows
**auto_generated_guid:** 65526037-7079-44a9-bda1-2cb624838040
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_name | Name of the created process | string | calculator.exe|
| gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | path | PathToAtomicsFolder&#92;T1574.002&#92;bin&#92;GUP.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
"#{gup_executable}"
```
#### Cleanup Commands:
```cmd
taskkill /F /IM #{process_name} >nul 2>&1
```
#### Dependencies: Run with `powershell`!
##### Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"
```
<br/>
<br/>
## Atomic Test #2 - DLL Side-Loading using the dotnet startup hook environment variable
Utilizing the dotnet_startup_hooks environment variable, this method allows for registering a global method in an assembly that will be executed whenever a .net core application is started. This unlocks a whole range of scenarios, from injecting a profiler to tweaking a static context in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
**Supported Platforms:** Windows
**auto_generated_guid:** d322cdd7-7d60-46e3-9111-648848da7c02
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_name | Name of the created process | string | calculator.exe|
| preloader_dll | library for interfacing with the dotnet framework | path | PathToAtomicsFolder&#92;T1574.002&#92;bin&#92;preloader.dll|
#### Attack Commands: Run with `command_prompt`!
```cmd
set DOTNET_STARTUP_HOOKS="#{preloader_dll}"
dotnet -h > nul
echo.
```
#### Cleanup Commands:
```cmd
taskkill /F /IM #{process_name} >nul 2>&1
```
#### Dependencies: Run with `powershell`!
##### Description: .Net SDK must be installed
##### Check Prereq Commands:
```powershell
if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
echo.
```
##### Description: preloader must exist
##### Check Prereq Commands:
```powershell
if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true" -OutFile "#{preloader_dll}"
```
<br/>
<br/>
## Atomic Test #3 - DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load further executables embedded in modified KeyScramblerIE.dll file.
**Supported Platforms:** Windows
**auto_generated_guid:** c095ad8e-4469-4d33-be9d-6f6d1fb21585
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Write-Host 1.Downloading KeyScrambler from official website to temp directory
Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe
Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory
Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait
Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp
Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe
Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup
Start-Process -FilePath $env:Temp\KeyScrambler.exe
Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker
```
#### Cleanup Commands:
```powershell
Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted.
Remove-Item -Path $env:Temp\KeyScrambler_Setup.exe
Start-Process -FilePath "C:\Program Files (x86)\KeyScrambler\Uninstall.exe" -ArgumentList /S -Wait
Remove-Item -Path $env:Temp\KeyScrambler.exe
Write-Host 2.KeyScrambler cleanup completed successfully.
```
<br/>
atomics/T1574.002/T1574.002.yaml
-99
View File
@@ -1,99 +0,0 @@
attack_technique: T1574.002
display_name: 'Hijack Execution Flow: DLL Side-Loading'
atomic_tests:
- name: DLL Side-Loading using the Notepad++ GUP.exe binary
auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040
description: |
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
Upon execution, calc.exe will be opened.
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the created process
type: string
default: calculator.exe
gup_executable:
description: GUP is an open source signed binary used by Notepad++ for software updates
type: path
default: PathToAtomicsFolder\T1574.002\bin\GUP.exe
dependency_executor_name: powershell
dependencies:
- description: |
Gup.exe binary must exist on disk at specified location (#{gup_executable})
prereq_command: |
if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"
executor:
command: |
"#{gup_executable}"
cleanup_command: |
taskkill /F /IM #{process_name} >nul 2>&1
name: command_prompt
- name: DLL Side-Loading using the dotnet startup hook environment variable
auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
description: |
Utilizing the dotnet_startup_hooks environment variable, this method allows for registering a global method in an assembly that will be executed whenever a .net core application is started. This unlocks a whole range of scenarios, from injecting a profiler to tweaking a static context in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of the created process
type: string
default: calculator.exe
preloader_dll:
description: library for interfacing with the dotnet framework
type: path
default: PathToAtomicsFolder\T1574.002\bin\preloader.dll
dependency_executor_name: powershell
dependencies:
- description: |
.Net SDK must be installed
prereq_command: |
if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit 0} else {exit 1}
get_prereq_command: |
winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
echo.
- description: |
preloader must exist
prereq_command: |
if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true" -OutFile "#{preloader_dll}"
executor:
command: |
set DOTNET_STARTUP_HOOKS="#{preloader_dll}"
dotnet -h > nul
echo.
cleanup_command: |
taskkill /F /IM #{process_name} >nul 2>&1
name: command_prompt
- name: DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
auto_generated_guid: c095ad8e-4469-4d33-be9d-6f6d1fb21585
description: |
Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load further executables embedded in modified KeyScramblerIE.dll file.
supported_platforms:
- windows
executor:
command: |-
Write-Host 1.Downloading KeyScrambler from official website to temp directory
Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe
Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory
Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait
Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp
Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe
Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup
Start-Process -FilePath $env:Temp\KeyScrambler.exe
Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker
cleanup_command: |-
Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted.
Remove-Item -Path $env:Temp\KeyScrambler_Setup.exe
Start-Process -FilePath "C:\Program Files (x86)\KeyScrambler\Uninstall.exe" -ArgumentList /S -Wait
Remove-Item -Path $env:Temp\KeyScrambler.exe
Write-Host 2.KeyScrambler cleanup completed successfully.
name: powershell
elevation_required: true
bin/generate-atomic-docs.rb
+22 -5
View File
@@ -37,6 +37,7 @@ class AtomicRedTeamDocs
generate_attack_matrix! 'Windows', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Matrices/windows-matrix.md", only_platform: /windows/
generate_attack_matrix! 'macOS', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Matrices/macos-matrix.md", only_platform: /macos/
generate_attack_matrix! 'Linux', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Matrices/linux-matrix.md", only_platform: /linux/
generate_attack_matrix! 'ESXi', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Matrices/esxi-matrix.md", only_platform: /esxi/
generate_index! 'All', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-Markdown/index.md"
generate_index! 'Windows', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-Markdown/windows-index.md", only_platform: /windows/, attack_platform: /windows/
@@ -47,6 +48,7 @@ class AtomicRedTeamDocs
generate_index! 'Office 365', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-Markdown/office-365-index.md", only_platform: /office-365/, attack_platform: /office/
generate_index! 'Google Workspace', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-Markdown/google-workspace-index.md", only_platform: /google-workspace/, attack_platform: /office/
generate_index! 'Azure AD', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-Markdown/azure-ad-index.md", only_platform: /azure-ad/, attack_platform: /identity/
generate_index! 'ESXi', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-Markdown/esxi-index.md", only_platform: /esxi/, attack_platform: /esxi/
generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/index.csv"
generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/windows-index.csv", only_platform: /windows/, attack_platform: /windows/
@@ -57,9 +59,10 @@ class AtomicRedTeamDocs
generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/office-365-index.csv", only_platform: /office-365/, attack_platform: /office/
generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/google-workspace-index.csv", only_platform: /google-workspace/, attack_platform: /identity/
generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/azure-ad-index.csv", only_platform: /azure-ad/, attack_platform: /identity/
generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/azure-ad-index.csv", only_platform: /esxi/, attack_platform: /esxi/
generate_yaml_index! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/index.yaml"
["windows", "macos", "linux", "office-365", "azure-ad", "google-workspace", "saas", "iaas", "containers", "iaas:gcp", "iaas:azure", "iaas:aws"].each do | platform|
["windows", "macos", "linux", "office-365", "azure-ad", "google-workspace", "saas", "iaas", "containers", "iaas:gcp", "iaas:azure", "iaas:aws", "esxi"].each do | platform|
generate_yaml_index_by_platform! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/#{platform.gsub(':','_')}-index.yaml", platform: "#{platform}"
end
generate_navigator_layer! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json", \
@@ -74,7 +77,8 @@ class AtomicRedTeamDocs
"#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-saas.json", \
"#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json", \
"#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json", \
"#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json"
"#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json", \
"#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-esxi.json"
return oks, fails
end
@@ -300,7 +304,7 @@ class AtomicRedTeamDocs
#
def generate_navigator_layer!(output_layer_path, output_layer_path_win, output_layer_path_mac, output_layer_path_lin, output_layer_path_iaas, \
output_layer_path_iaas_aws, output_layer_path_iaas_azure, output_layer_path_iaas_gcp, output_layer_path_containers, output_layer_path_saas, \
output_layer_path_google_workspace, output_layer_path_azure_ad, output_layer_path_office_365)
output_layer_path_google_workspace, output_layer_path_azure_ad, output_layer_path_office_365, output_layer_path_esxi)
techniques = []
techniques_win = []
@@ -315,6 +319,7 @@ class AtomicRedTeamDocs
techniques_google_workspace = []
techniques_azure_ad = []
techniques_office_365 = []
techniques_esxi = []
ATOMIC_RED_TEAM.atomic_tests.each do |atomic_yaml|
begin
@@ -369,6 +374,9 @@ class AtomicRedTeamDocs
has_office_365_tests = false
office_365_technique = technique.clone
office_365_techniqueParent = techniqueParent.clone
has_esxi_tests = false
esxi_technique = technique.clone
esxi_techniqueParent = techniqueParent.clone
atomic_yaml['atomic_tests'].each do |atomic|
technique['score'] += 1
@@ -427,6 +435,11 @@ class AtomicRedTeamDocs
office_365_technique['score'] += 1
office_365_technique['comment'] += "- " + atomic['name'] + "\n"
end
if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^esxi/} then
has_esxi_tests = true
esxi_technique['score'] += 1
esxi_technique['comment'] += "- " + atomic['name'] + "\n"
end
end
# Update full Atomic Layer
@@ -465,6 +478,9 @@ class AtomicRedTeamDocs
if has_office_365_tests then
update_techniquesList(office_365_technique, office_365_techniqueParent, techniques_office_365, atomic_yaml, true)
end
if has_esxi_tests then
update_techniquesList(esxi_technique, esxi_techniqueParent, techniques_esxi, atomic_yaml, true)
end
end
end
@@ -482,7 +498,7 @@ class AtomicRedTeamDocs
layer_google_workspace = get_layer techniques_google_workspace, "Atomic Red Team (Google-Workspace)"
layer_azure_ad = get_layer techniques_azure_ad, "Atomic Red Team (Azure-AD)"
layer_office_365 = get_layer techniques_office_365, "Atomic Red Team (Office-365)"
layer_esxi = get_layer techniques_esxi, "Atomic Red Team (ESXi)"
File.write output_layer_path,layer.to_json
File.write output_layer_path_win,layer_win.to_json
@@ -496,7 +512,7 @@ class AtomicRedTeamDocs
File.write output_layer_path_google_workspace,layer_google_workspace.to_json
File.write output_layer_path_azure_ad,layer_azure_ad.to_json
File.write output_layer_path_office_365,layer_office_365.to_json
File.write output_layer_path_esxi,layer_esxi.to_json
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path}"
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_win}"
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_mac}"
@@ -509,6 +525,7 @@ class AtomicRedTeamDocs
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_google_workspace}"
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_azure_ad}"
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_office_365}"
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_esxi}"
end
end