From fa67d8f04188955ec2c3d1532d2212f26ef5e3e8 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 3 Apr 2020 22:24:29 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/Indexes/index.yaml | 94 ++++++++++++++++++++++---------------- atomics/T1502/T1502.md | 3 ++ atomics/T1504/T1504.md | 25 ++++++---- atomics/T1518/T1518.md | 6 ++- atomics/T1531/T1531.md | 5 +- 5 files changed, 80 insertions(+), 53 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 87171f76..f3166cf3 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -3554,7 +3554,8 @@ persistence: atomic_tests: - name: Append malicious start-process cmdlet description: 'Appends a start process cmdlet to the current user''s powershell - profile pofile that points to a malicious executable + profile pofile that points to a malicious executable. Upon execution, calc.exe + will be launched. ' supported_platforms: @@ -3568,19 +3569,19 @@ persistence: description: Powershell profile to use type: String default: "$profile" + dependency_executor_name: powershell + dependencies: + - description: Ensure a powershell profile exists for the current user + prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1}' + get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force' executor: name: powershell elevation_required: false command: | - if(Test-Path #{ps_profile}){ - } - else{ - New-Item -Path #{ps_profile} -Type File -Force - } - $malicious = "Start-Process #{exe_path}" - Add-Content #{ps_profile} -Value $malicious - powershell -command exit - cleanup_command: |- + Add-Content #{ps_profile} -Value "" + Add-Content #{ps_profile} -Value "Start-Process #{exe_path}" + powershell -Command exit + cleanup_command: | $oldprofile = cat $profile | Select-Object -skiplast 1 Set-Content $profile -Value $oldprofile T1163: @@ -10758,6 +10759,9 @@ defense-evasion: - name: Parent PID Spoofing using PowerShell description: | This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. + Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and + calc.exe will be launched. + Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1) supported_platforms: - windows @@ -14607,6 +14611,9 @@ privilege-escalation: - name: Parent PID Spoofing using PowerShell description: | This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. + Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and + calc.exe will be launched. + Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1) supported_platforms: - windows @@ -14798,7 +14805,8 @@ privilege-escalation: atomic_tests: - name: Append malicious start-process cmdlet description: 'Appends a start process cmdlet to the current user''s powershell - profile pofile that points to a malicious executable + profile pofile that points to a malicious executable. Upon execution, calc.exe + will be launched. ' supported_platforms: @@ -14812,19 +14820,19 @@ privilege-escalation: description: Powershell profile to use type: String default: "$profile" + dependency_executor_name: powershell + dependencies: + - description: Ensure a powershell profile exists for the current user + prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1}' + get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force' executor: name: powershell elevation_required: false command: | - if(Test-Path #{ps_profile}){ - } - else{ - New-Item -Path #{ps_profile} -Type File -Force - } - $malicious = "Start-Process #{exe_path}" - Add-Content #{ps_profile} -Value $malicious - powershell -command exit - cleanup_command: |- + Add-Content #{ps_profile} -Value "" + Add-Content #{ps_profile} -Value "Start-Process #{exe_path}" + powershell -Command exit + cleanup_command: | $oldprofile = cat $profile | Select-Object -skiplast 1 Set-Content $profile -Value $oldprofile T1055: @@ -15850,10 +15858,9 @@ impact: identifier: T1531 atomic_tests: - name: Change User Password - Windows - description: 'Changes the user password to hinder access attempts. Seen in use - by LockerGoga. - -' + description: | + Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with + the password "HuHuHUHoHo283283". supported_platforms: - windows input_arguments: @@ -15883,7 +15890,8 @@ impact: ' - name: Delete User - Windows - description: 'Deletes a user account to prevent access. + description: 'Deletes a user account to prevent access. Upon execution, run + the command "net user" to verify that the new "AtomicUser" account was deleted. ' supported_platforms: @@ -15904,7 +15912,9 @@ impact: executor: name: command_prompt elevation_required: true - command: 'net.exe user #{user_account} /delete' + command: 'net.exe user #{user_account} /delete + +' T1485: technique: x_mitre_data_sources: @@ -16590,7 +16600,9 @@ impact: executor: name: bash elevation_required: true - command: "halt -p \n" + command: 'halt -p + +' - name: Reboot System via `halt` - Linux description: 'This test restarts a Linux system using `halt`. @@ -16600,7 +16612,9 @@ impact: executor: name: bash elevation_required: true - command: "halt --reboot \n" + command: 'halt --reboot + +' - name: Shutdown System via `poweroff` - Linux description: 'This test shuts down a Linux system using `poweroff`. @@ -16610,7 +16624,9 @@ impact: executor: name: bash elevation_required: true - command: "poweroff \n" + command: 'poweroff + +' - name: Reboot System via `poweroff` - Linux description: 'This test restarts a Linux system using `poweroff`. @@ -16620,7 +16636,9 @@ impact: executor: name: bash elevation_required: true - command: 'poweroff --reboot ' + command: 'poweroff --reboot + +' discovery: T1087: technique: @@ -18559,11 +18577,9 @@ discovery: identifier: T1518 atomic_tests: - name: Find and Display Internet Explorer Browser Version - description: 'Adversaries may attempt to get a listing of non-security related - software that is installed on the system. Adversaries may use the information - from Software Discovery during automated discovery to shape follow-on behaviors - -' + description: | + Query the registry to determine the version of internet explorer installed on the system. + Upon execution, version information about internet explorer will be displayed. supported_platforms: - windows executor: @@ -18574,11 +18590,9 @@ discovery: ' - name: Applications Installed - description: 'Adversaries may attempt to get a listing of all software that - is installed on the system. Adversaries may use the information from Software - Discovery during automated discovery to shape follow-on behaviors - -' + description: | + Query the registry to determine software and versions installed on the system. Upon execution a table of + software name and version information will be displayed. supported_platforms: - windows executor: diff --git a/atomics/T1502/T1502.md b/atomics/T1502/T1502.md index 1f6dbeb7..5030475c 100644 --- a/atomics/T1502/T1502.md +++ b/atomics/T1502/T1502.md @@ -15,6 +15,9 @@ Explicitly assigning the PPID may also enable [Privilege Escalation](https://att ## Atomic Test #1 - Parent PID Spoofing using PowerShell This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. +Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and +calc.exe will be launched. + Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1) **Supported Platforms:** Windows diff --git a/atomics/T1504/T1504.md b/atomics/T1504/T1504.md index 05fa4c64..7e243225 100644 --- a/atomics/T1504/T1504.md +++ b/atomics/T1504/T1504.md @@ -14,7 +14,7 @@ An adversary may also be able to escalate privileges if a script in a PowerShell
## Atomic Test #1 - Append malicious start-process cmdlet -Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable +Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. **Supported Platforms:** Windows @@ -32,14 +32,9 @@ Appends a start process cmdlet to the current user's powershell profile pofile t ```powershell -if(Test-Path #{ps_profile}){ -} -else{ - New-Item -Path #{ps_profile} -Type File -Force -} -$malicious = "Start-Process #{exe_path}" -Add-Content #{ps_profile} -Value $malicious -powershell -command exit +Add-Content #{ps_profile} -Value "" +Add-Content #{ps_profile} -Value "Start-Process #{exe_path}" +powershell -Command exit ``` #### Cleanup Commands: @@ -50,6 +45,18 @@ Set-Content $profile -Value $oldprofile +#### Dependencies: Run with `powershell`! +##### Description: Ensure a powershell profile exists for the current user +##### Check Prereq Commands: +```powershell +if (Test-Path #{ps_profile}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Path #{ps_profile} -Type File -Force +``` + +
diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md index 36b4531a..b22d2b7c 100644 --- a/atomics/T1518/T1518.md +++ b/atomics/T1518/T1518.md @@ -12,7 +12,8 @@
## Atomic Test #1 - Find and Display Internet Explorer Browser Version -Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors +Query the registry to determine the version of internet explorer installed on the system. +Upon execution, version information about internet explorer will be displayed. **Supported Platforms:** Windows @@ -36,7 +37,8 @@ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersio
## Atomic Test #2 - Applications Installed -Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors +Query the registry to determine software and versions installed on the system. Upon execution a table of +software name and version information will be displayed. **Supported Platforms:** Windows diff --git a/atomics/T1531/T1531.md b/atomics/T1531/T1531.md index a41ee076..61f31b73 100644 --- a/atomics/T1531/T1531.md +++ b/atomics/T1531/T1531.md @@ -14,7 +14,8 @@ Adversaries may also subsequently log off and/or reboot boxes to set malicious c
## Atomic Test #1 - Change User Password - Windows -Changes the user password to hinder access attempts. Seen in use by LockerGoga. +Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with +the password "HuHuHUHoHo283283". **Supported Platforms:** Windows @@ -61,7 +62,7 @@ net user #{user_account} #{new_user_password} /add
## Atomic Test #2 - Delete User - Windows -Deletes a user account to prevent access. +Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. **Supported Platforms:** Windows