Generated docs from job=generate-docs branch=master [ci skip]

2025-03-12 22:58:52 +00:00
parent 3d289a64b6
commit f6f89f8ba5
16 changed files with 282 additions and 5 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1716-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1717-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -1361,6 +1361,7 @@ command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
 command-and-control,T1572,Protocol Tunneling,4,run ngrok,4cdc9fc7-53fb-4894-9f0c-64836943ea60,powershell
 command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
+command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu/FreeBSD,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
@@ -192,6 +192,7 @@ persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
 command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
+command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu/FreeBSD,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1095,Non-Application Layer Protocol,4,Linux ICMP Reverse Shell using icmp-cnc,8e139e1f-1f3a-4be7-901d-afae9738c064,manual
@@ -125,6 +125,7 @@ persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using
 persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
+command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
@@ -1853,6 +1853,7 @@
  - Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
  - Atomic Test #4: run ngrok [windows]
  - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
+  - Atomic Test #6: VSCode tunnels (Linux/macOS) [linux, macos]
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -492,6 +492,7 @@
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
  - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
+  - Atomic Test #6: VSCode tunnels (Linux/macOS) [linux, macos]
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -437,6 +437,7 @@
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
  - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
+  - Atomic Test #6: VSCode tunnels (Linux/macOS) [linux, macos]
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -77467,6 +77467,70 @@ command-and-control:
          #{binary_path} user logout
          rm #{binary_path}
        name: bash
+    - name: VSCode tunnels (Linux/macOS)
+      auto_generated_guid: b877943f-0377-44f4-8477-f79db7f07c4d
+      description: |
+        Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet.
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port.
+        Reference:
+        - [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        artifact_base_url:
+          description: Base URL to download code-cli
+          type: string
+          default: https://code.visualstudio.com/sha/download
+        artifact_build:
+          description: build to download - Allowed values (stable/insiders)
+          type: string
+          default: stable
+        payload_path:
+          description: path to download code-cli
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads
+        additional_args:
+          description: additional arguments to pass to code tunnel
+          type: string
+          default: ''
+      dependencies:
+      - description: 'Install code-cli
+
+          '
+        prereq_command: 'which code
+
+          '
+        get_prereq_command: "ARCH_SUFFIX=$(uname -m | grep -q \"arm64\\|aarch64\"
+          && echo \"arm64\" || echo \"x64\")\nif [ \"$(uname)\" = \"Darwin\" ]\nthen
+          brew install code-cli\nelif [ \"$(expr substr $(uname) 1 5)\" = \"Linux\"
+          ]\nthen mkdir -p $(dirname #{payload_path})        \n  PKG_TYPE=$(command
+          -v apt >/dev/null && echo \"deb\" || echo \"rpm\")\n  curl -L \"#{artifact_base_url}?build=#{artifact_build}&os=linux-${PKG_TYPE}-${ARCH_SUFFIX}\"
+          -o \"#{payload_path}/code.${PKG_TYPE}\"\n  (which apt && apt install -y
+          \"#{payload_path}/code.${PKG_TYPE}\") || (which yum && yum install -y \"#{payload_path}/code.${PKG_TYPE}\")\n
+          \ rm \"#{payload_path}/code.${PKG_TYPE}\"\nfi\n"
+      - description: 'Login to VSCode Dev tunnels
+
+          '
+        prereq_command: 'code tunnel user show | grep -q "not logged in" && exit 1
+          || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to code tunnel using the following command:
+          code tunnel user login"
+
+          '
+      executor:
+        command: 'nohup code tunnel --accept-server-license-terms #{additional_args}
+          >/dev/null 2>&1 &
+
+          '
+        cleanup_command: |
+          pkill -9 tunnel
+          code tunnel unregister
+          code tunnel user logout
+        name: sh
  T1071.003:
    technique:
      modified: '2024-04-16T12:28:59.928Z'
@@ -44991,6 +44991,70 @@ command-and-control:
          #{binary_path} user logout
          rm #{binary_path}
        name: bash
+    - name: VSCode tunnels (Linux/macOS)
+      auto_generated_guid: b877943f-0377-44f4-8477-f79db7f07c4d
+      description: |
+        Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet.
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port.
+        Reference:
+        - [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        artifact_base_url:
+          description: Base URL to download code-cli
+          type: string
+          default: https://code.visualstudio.com/sha/download
+        artifact_build:
+          description: build to download - Allowed values (stable/insiders)
+          type: string
+          default: stable
+        payload_path:
+          description: path to download code-cli
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads
+        additional_args:
+          description: additional arguments to pass to code tunnel
+          type: string
+          default: ''
+      dependencies:
+      - description: 'Install code-cli
+
+          '
+        prereq_command: 'which code
+
+          '
+        get_prereq_command: "ARCH_SUFFIX=$(uname -m | grep -q \"arm64\\|aarch64\"
+          && echo \"arm64\" || echo \"x64\")\nif [ \"$(uname)\" = \"Darwin\" ]\nthen
+          brew install code-cli\nelif [ \"$(expr substr $(uname) 1 5)\" = \"Linux\"
+          ]\nthen mkdir -p $(dirname #{payload_path})        \n  PKG_TYPE=$(command
+          -v apt >/dev/null && echo \"deb\" || echo \"rpm\")\n  curl -L \"#{artifact_base_url}?build=#{artifact_build}&os=linux-${PKG_TYPE}-${ARCH_SUFFIX}\"
+          -o \"#{payload_path}/code.${PKG_TYPE}\"\n  (which apt && apt install -y
+          \"#{payload_path}/code.${PKG_TYPE}\") || (which yum && yum install -y \"#{payload_path}/code.${PKG_TYPE}\")\n
+          \ rm \"#{payload_path}/code.${PKG_TYPE}\"\nfi\n"
+      - description: 'Login to VSCode Dev tunnels
+
+          '
+        prereq_command: 'code tunnel user show | grep -q "not logged in" && exit 1
+          || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to code tunnel using the following command:
+          code tunnel user login"
+
+          '
+      executor:
+        command: 'nohup code tunnel --accept-server-license-terms #{additional_args}
+          >/dev/null 2>&1 &
+
+          '
+        cleanup_command: |
+          pkill -9 tunnel
+          code tunnel unregister
+          code tunnel user logout
+        name: sh
  T1071.003:
    technique:
      modified: '2024-04-16T12:28:59.928Z'
@@ -41945,6 +41945,70 @@ command-and-control:
          #{binary_path} user logout
          rm #{binary_path}
        name: bash
+    - name: VSCode tunnels (Linux/macOS)
+      auto_generated_guid: b877943f-0377-44f4-8477-f79db7f07c4d
+      description: |
+        Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet.
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port.
+        Reference:
+        - [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        artifact_base_url:
+          description: Base URL to download code-cli
+          type: string
+          default: https://code.visualstudio.com/sha/download
+        artifact_build:
+          description: build to download - Allowed values (stable/insiders)
+          type: string
+          default: stable
+        payload_path:
+          description: path to download code-cli
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads
+        additional_args:
+          description: additional arguments to pass to code tunnel
+          type: string
+          default: ''
+      dependencies:
+      - description: 'Install code-cli
+
+          '
+        prereq_command: 'which code
+
+          '
+        get_prereq_command: "ARCH_SUFFIX=$(uname -m | grep -q \"arm64\\|aarch64\"
+          && echo \"arm64\" || echo \"x64\")\nif [ \"$(uname)\" = \"Darwin\" ]\nthen
+          brew install code-cli\nelif [ \"$(expr substr $(uname) 1 5)\" = \"Linux\"
+          ]\nthen mkdir -p $(dirname #{payload_path})        \n  PKG_TYPE=$(command
+          -v apt >/dev/null && echo \"deb\" || echo \"rpm\")\n  curl -L \"#{artifact_base_url}?build=#{artifact_build}&os=linux-${PKG_TYPE}-${ARCH_SUFFIX}\"
+          -o \"#{payload_path}/code.${PKG_TYPE}\"\n  (which apt && apt install -y
+          \"#{payload_path}/code.${PKG_TYPE}\") || (which yum && yum install -y \"#{payload_path}/code.${PKG_TYPE}\")\n
+          \ rm \"#{payload_path}/code.${PKG_TYPE}\"\nfi\n"
+      - description: 'Login to VSCode Dev tunnels
+
+          '
+        prereq_command: 'code tunnel user show | grep -q "not logged in" && exit 1
+          || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to code tunnel using the following command:
+          code tunnel user login"
+
+          '
+      executor:
+        command: 'nohup code tunnel --accept-server-license-terms #{additional_args}
+          >/dev/null 2>&1 &
+
+          '
+        cleanup_command: |
+          pkill -9 tunnel
+          code tunnel unregister
+          code tunnel user logout
+        name: sh
  T1071.003:
    technique:
      modified: '2024-04-16T12:28:59.928Z'
@@ -24,6 +24,8 @@ Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/tech

 - [Atomic Test #5 - Microsoft Dev tunnels (Linux/macOS)](#atomic-test-5---microsoft-dev-tunnels-linuxmacos)

+- [Atomic Test #6 - VSCode tunnels (Linux/macOS)](#atomic-test-6---vscode-tunnels-linuxmacos)
+

 <br/>

@@ -270,4 +272,80 @@ echo "Login to devtunnel using the following command: #{binary_path} user login"



+<br/>
+<br/>
+
+## Atomic Test #6 - VSCode tunnels (Linux/macOS)
+Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet.
+This atomic will generate a dev tunnel binding it to the local service running on the provided port.
+Reference:
+- [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels)
+- [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/)
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** b877943f-0377-44f4-8477-f79db7f07c4d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| artifact_base_url | Base URL to download code-cli | string | https://code.visualstudio.com/sha/download|
+| artifact_build | build to download - Allowed values (stable/insiders) | string | stable|
+| payload_path | path to download code-cli | string | PathToAtomicsFolder/../ExternalPayloads|
+| additional_args | additional arguments to pass to code tunnel | string | |
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+nohup code tunnel --accept-server-license-terms #{additional_args} >/dev/null 2>&1 &
+```
+
+#### Cleanup Commands:
+```sh
+pkill -9 tunnel
+code tunnel unregister
+code tunnel user logout
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Install code-cli
+##### Check Prereq Commands:
+```sh
+which code
+```
+##### Get Prereq Commands:
+```sh
+ARCH_SUFFIX=$(uname -m | grep -q "arm64\|aarch64" && echo "arm64" || echo "x64")
+if [ "$(uname)" = "Darwin" ]
+then brew install code-cli
+elif [ "$(expr substr $(uname) 1 5)" = "Linux" ]
+then mkdir -p $(dirname #{payload_path})        
+  PKG_TYPE=$(command -v apt >/dev/null && echo "deb" || echo "rpm")
+  curl -L "#{artifact_base_url}?build=#{artifact_build}&os=linux-${PKG_TYPE}-${ARCH_SUFFIX}" -o "#{payload_path}/code.${PKG_TYPE}"
+  (which apt && apt install -y "#{payload_path}/code.${PKG_TYPE}") || (which yum && yum install -y "#{payload_path}/code.${PKG_TYPE}")
+  rm "#{payload_path}/code.${PKG_TYPE}"
+fi
+```
+##### Description: Login to VSCode Dev tunnels
+##### Check Prereq Commands:
+```sh
+code tunnel user show | grep -q "not logged in" && exit 1 || exit 0
+```
+##### Get Prereq Commands:
+```sh
+echo "Login to code tunnel using the following command: code tunnel user login"
+```
+
+
+
+
 <br/>
@@ -198,7 +198,7 @@ atomic_tests:
    name: bash

 - name: VSCode tunnels (Linux/macOS)
-  auto_generated_guid: 
+  auto_generated_guid: b877943f-0377-44f4-8477-f79db7f07c4d
  description: |
    Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet.
    This atomic will generate a dev tunnel binding it to the local service running on the provided port.
@@ -1741,3 +1741,4 @@ a4b74723-5cee-4300-91c3-5e34166909b4
 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75
 0d5a2b03-3a26-45e4-96ae-89485b4d1f97
 9f94a112-1ce2-464d-a63b-83c1f465f801
+b877943f-0377-44f4-8477-f79db7f07c4d