From f6c457593aedfdcc2b0df97db862173d49903914 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 14 Jun 2019 12:41:14 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1485/T1485.md | 23 ++++++++ atomics/T1496/T1496.md | 25 +++++++++ atomics/art_navigator_layer.json | 2 +- atomics/index.md | 4 +- atomics/index.yaml | 94 +++++++++++++++++++++++++++++++- atomics/linux-index.md | 4 +- atomics/macos-index.md | 4 +- atomics/windows-index.md | 2 +- 8 files changed, 152 insertions(+), 6 deletions(-) create mode 100644 atomics/T1496/T1496.md diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index 3adfad03..b58bf90b 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -16,6 +16,8 @@ To maximize impact on the target organization in operations where network-wide a - [Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-4---windows---overwrite-file-with-sysinternals-sdelete) +- [Atomic Test #5 - macOS/Linux - Overwrite file with DD](#atomic-test-5---macoslinux---overwrite-file-with-dd) +
@@ -77,3 +79,24 @@ Requires the download of either Sysinternals Suite or the individual SDelete uti sdelete.exe #{file_to_overwrite} ```
+
+ +## Atomic Test #5 - macOS/Linux - Overwrite file with DD +Overwrites and deletes a file using DD. + +To stop the test, break the command with CTRL/CMD+C. + +**Supported Platforms:** CentOS, Linux, macOS, Ubuntu + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| overwrite_source | Path of data source to overwrite with | Path | /dev/zero| +| file_to_overwrite | Path of file to overwrite and remove | Path | /var/log/syslog| + +#### Run it with `bash`! +``` +dd of=#{file_to_overwrite} if=#{overwrite_source} +``` +
diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md new file mode 100644 index 00000000..5f2865d3 --- /dev/null +++ b/atomics/T1496/T1496.md @@ -0,0 +1,25 @@ +# T1496 - Resource Hijacking +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1496) +
Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. + +One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.
+ +## Atomic Tests + +- [Atomic Test #1 - macOS/Linux - Simulate CPU Load with Yes](#atomic-test-1---macoslinux---simulate-cpu-load-with-yes) + + +
+ +## Atomic Test #1 - macOS/Linux - Simulate CPU Load with Yes +This test simulates a high CPU load as you might observe during cryptojacking attacks. +End the test by using CTRL/CMD+C to break. + +**Supported Platforms:** macOS, CentOS, Ubuntu, Linux + + +#### Run it with `bash`! +``` +yes > /dev/null +``` +
diff --git a/atomics/art_navigator_layer.json b/atomics/art_navigator_layer.json index 2d32acc4..9dc6caca 100644 --- a/atomics/art_navigator_layer.json +++ b/atomics/art_navigator_layer.json @@ -1 +1 @@ -{"version":"2.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1004","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1015","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1028","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1031","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1035","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1042","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1050","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1060","score":100,"enabled":true},{"techniqueID":"T1062","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1075","score":100,"enabled":true},{"techniqueID":"T1076","score":100,"enabled":true},{"techniqueID":"T1077","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1084","score":100,"enabled":true},{"techniqueID":"T1085","score":100,"enabled":true},{"techniqueID":"T1086","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1088","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1096","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1100","score":100,"enabled":true},{"techniqueID":"T1101","score":100,"enabled":true},{"techniqueID":"T1103","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1117","score":100,"enabled":true},{"techniqueID":"T1118","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1121","score":100,"enabled":true},{"techniqueID":"T1122","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1126","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1128","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1138","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1170","score":100,"enabled":true},{"techniqueID":"T1173","score":100,"enabled":true},{"techniqueID":"T1174","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1179","score":100,"enabled":true},{"techniqueID":"T1180","score":100,"enabled":true},{"techniqueID":"T1183","score":100,"enabled":true},{"techniqueID":"T1191","score":100,"enabled":true},{"techniqueID":"T1193","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1214","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1223","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1501","score":100,"enabled":true}]} \ No newline at end of file +{"version":"2.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1004","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1015","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1028","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1031","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1035","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1042","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1050","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1060","score":100,"enabled":true},{"techniqueID":"T1062","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1075","score":100,"enabled":true},{"techniqueID":"T1076","score":100,"enabled":true},{"techniqueID":"T1077","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1084","score":100,"enabled":true},{"techniqueID":"T1085","score":100,"enabled":true},{"techniqueID":"T1086","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1088","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1096","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1100","score":100,"enabled":true},{"techniqueID":"T1101","score":100,"enabled":true},{"techniqueID":"T1103","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1117","score":100,"enabled":true},{"techniqueID":"T1118","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1121","score":100,"enabled":true},{"techniqueID":"T1122","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1126","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1128","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1138","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1170","score":100,"enabled":true},{"techniqueID":"T1173","score":100,"enabled":true},{"techniqueID":"T1174","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1179","score":100,"enabled":true},{"techniqueID":"T1180","score":100,"enabled":true},{"techniqueID":"T1183","score":100,"enabled":true},{"techniqueID":"T1191","score":100,"enabled":true},{"techniqueID":"T1193","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1214","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1223","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1501","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/index.md b/atomics/index.md index 28414e78..22805814 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -785,6 +785,7 @@ - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows] - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows] - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows] + - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -797,7 +798,8 @@ - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1496 Resource Hijacking](./T1496/T1496.md) + - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, centos, ubuntu, linux] - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1489 Service Stop](./T1489/T1489.md) - Atomic Test #1: Windows - Stop service using Service Controller [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index 19e897a0..8ff99320 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -21289,7 +21289,31 @@ impact: default: C:\some\file.txt executor: name: command_prompt - command: 'sdelete.exe #{file_to_overwrite}' + command: 'sdelete.exe #{file_to_overwrite} + +' + - name: macOS/Linux - Overwrite file with DD + description: | + Overwrites and deletes a file using DD. + + To stop the test, break the command with CTRL/CMD+C. + supported_platforms: + - centos + - linux + - macos + - ubuntu + input_arguments: + overwrite_source: + description: Path of data source to overwrite with + type: Path + default: "/dev/zero" + file_to_overwrite: + description: Path of file to overwrite and remove + type: Path + default: "/var/log/syslog" + executor: + name: bash + command: dd of=#{file_to_overwrite} if=#{overwrite_source} '': technique: external_references: @@ -21456,6 +21480,74 @@ impact: command: | bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no + T1496: + technique: + external_references: + - external_id: T1496 + source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1496 + - url: https://securelist.com/lazarus-under-the-hood/77908/ + source_name: Kaspersky Lazarus Under The Hood Blog 2017 + description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April + 17, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_data_sources: + - Process use of network + - Process monitoring + - Network protocol analysis + - Network device logs + modified: '2019-04-26T15:26:57.896Z' + x_mitre_detection: Consider monitoring process resource usage to determine anomalous + activity associated with malicious hijacking of computer resources such as + CPU, memory, and graphics processing resources. Monitor for suspicious use + of network resources associated with cryptocurrency mining software. Monitor + for common cryptomining software process names and files on local systems + that may indicate compromise and resource usage. + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + x_mitre_platforms: + - Linux + - macOS + - Windows + kill_chain_phases: + - phase_name: impact + kill_chain_name: mitre-attack + x_mitre_impact_type: + - Availability + id: attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783 + name: Resource Hijacking + created: '2019-04-17T14:50:05.682Z' + x_mitre_version: '1.0' + type: attack-pattern + description: "Adversaries may leverage the resources of co-opted systems in + order to solve resource intensive problems which may impact system and/or + hosted service availability. \n\nOne common purpose for Resource Hijacking + is to validate transactions of cryptocurrency networks and earn virtual currency. + Adversaries may consume enough system resources to negatively impact and/or + cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus + Under The Hood Blog 2017) Servers and cloud-based systems are common targets + because of the high potential for available resources, but user endpoint systems + may also be compromised and used for Resource Hijacking and cryptocurrency + mining." + x_mitre_permissions_required: + - User + - Administrator + identifier: T1496 + atomic_tests: + - name: macOS/Linux - Simulate CPU Load with Yes + description: | + This test simulates a high CPU load as you might observe during cryptojacking attacks. + End the test by using CTRL/CMD+C to break. + supported_platforms: + - macos + - centos + - ubuntu + - linux + executor: + name: bash + command: 'yes > /dev/null + +' T1489: technique: external_references: diff --git a/atomics/linux-index.md b/atomics/linux-index.md index 6b0465a9..d3147144 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -268,6 +268,7 @@ # impact - [T1485 Data Destruction](./T1485/T1485.md) + - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -276,7 +277,8 @@ - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1490 Inhibit System Recovery](./T1490/T1490.md) - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1496 Resource Hijacking](./T1496/T1496.md) + - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, centos, ubuntu, linux] - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/macos-index.md b/atomics/macos-index.md index db571b86..b136cf55 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -305,6 +305,7 @@ # impact - [T1485 Data Destruction](./T1485/T1485.md) + - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -313,7 +314,8 @@ - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1490 Inhibit System Recovery](./T1490/T1490.md) - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1496 Resource Hijacking](./T1496/T1496.md) + - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, centos, ubuntu, linux] - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 01ace0e9..354f69d1 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -566,7 +566,7 @@ - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1496 Resource Hijacking](./T1496/T1496.md) - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1489 Service Stop](./T1489/T1489.md) - Atomic Test #1: Windows - Stop service using Service Controller [windows]