security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-03-23 20:57:21 +00:00
parent 1e601b4b9c
commit fb702afdef
6 changed files with 64 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1055/T1055.md
+11 -46
View File
@@ -27,15 +27,13 @@ Malware commonly utilizes process injection to access system resources through w
- [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe)
- [Atomic Test #2 - Process Injection via PowerSploit](#atomic-test-2---process-injection-via-powersploit)
- [Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-2---shared-library-injection-via-etcldsopreload)
- [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
- [Atomic Test #3 - Shared Library Injection via LD_PRELOAD](#atomic-test-3---shared-library-injection-via-ld_preload)
- [Atomic Test #4 - Shared Library Injection via LD_PRELOAD](#atomic-test-4---shared-library-injection-via-ld_preload)
- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
- [Atomic Test #5 - Process Injection via C#](#atomic-test-5---process-injection-via-c)
- [Atomic Test #6 - svchost writing a file to a UNC path](#atomic-test-6---svchost-writing-a-file-to-a-unc-path)
- [Atomic Test #5 - svchost writing a file to a UNC path](#atomic-test-5---svchost-writing-a-file-to-a-unc-path)
<br/>
@@ -43,7 +41,7 @@ Malware commonly utilizes process injection to access system resources through w
## Atomic Test #1 - Process Injection via mavinject.exe
Windows 10 Utility To Inject DLLS.
Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
**Supported Platforms:** Windows
@@ -86,41 +84,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
<br/>
## Atomic Test #2 - Process Injection via PowerSploit
PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to Inject | Path | T1055.dll|
| process_id | PID of input_arguments | Integer | (get-process spoolsv).id|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$mypid = #{process_id}
Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
```
<br/>
<br/>
## Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload
This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
## Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload
This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
@@ -150,7 +115,7 @@ echo #{path_to_shared_library} > /etc/ld.so.preload
<br/>
<br/>
## Atomic Test #4 - Shared Library Injection via LD_PRELOAD
## Atomic Test #3 - Shared Library Injection via LD_PRELOAD
This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout.
@@ -181,7 +146,7 @@ LD_PRELOAD=#{path_to_shared_library} ls
<br/>
<br/>
## Atomic Test #5 - Process Injection via C#
## Atomic Test #4 - Process Injection via C#
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
@@ -218,9 +183,9 @@ Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 tec
<br/>
<br/>
## Atomic Test #6 - svchost writing a file to a UNC path
## Atomic Test #5 - svchost writing a file to a UNC path
svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
**Supported Platforms:** Windows
atomics/T1218/T1218.md
+5 -3
View File
@@ -232,6 +232,8 @@ msiexec.exe /q /i "#{msi_payload}"
## Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL
Execute arbitrary DLL file stored locally. Commonly seen in application installation.
Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
By default, if the src folder is not in place, it will download the 64 bit version.
**Supported Platforms:** Windows
@@ -241,7 +243,7 @@ Execute arbitrary DLL file stored locally. Commonly seen in application installa
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;Win32&#92;T1218-2.dll|
| dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;x64&#92;T1218.dll|
#### Attack Commands: Run with `command_prompt`!
@@ -255,7 +257,7 @@ msiexec.exe /y "#{dll_payload}"
#### Dependencies: Run with `powershell`!
##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
##### Check Prereq Commands:
```powershell
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
@@ -263,7 +265,7 @@ if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
```
atomics/index.md
+8 -10
View File
@@ -345,11 +345,10 @@
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #5: Process Injection via C# [windows]
- Atomic Test #6: svchost writing a file to a UNC path [windows]
- Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #4: Process Injection via C# [windows]
- Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -462,11 +461,10 @@
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #5: Process Injection via C# [windows]
- Atomic Test #6: svchost writing a file to a UNC path [windows]
- Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #4: Process Injection via C# [windows]
- Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
atomics/index.yaml
+32 -76
View File
@@ -11111,9 +11111,10 @@ defense-evasion:
identifier: T1055
atomic_tests:
- name: Process Injection via mavinject.exe
description: "Windows 10 Utility To Inject DLLS.\n\nUpon successful execution,
powershell.exe will download T1055.dll to disk. Powershell will then spawn
mavinject.exe to perform process injection in T1055.dll. \n"
description: |
Windows 10 Utility To Inject DLLS.
Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
supported_platforms:
- windows
input_arguments:
@@ -11138,33 +11139,11 @@ defense-evasion:
command: |
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING #{dll_payload}
- name: Process Injection via PowerSploit
description: |
PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to Inject
type: Path
default: T1055.dll
process_id:
description: PID of input_arguments
type: Integer
default: "(get-process spoolsv).id"
executor:
name: powershell
elevation_required: true
command: |
$mypid = #{process_id}
Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
- name: Shared Library Injection via /etc/ld.so.preload
description: "This test adds a shared library to the `ld.so.preload` list to
execute and intercept API calls. This technique was used by threat actor Rocke
during the exploitation of Linux web servers. This requires the `glibc` package.
\n\nUpon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon
successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
\n"
supported_platforms:
- linux
@@ -11219,10 +11198,9 @@ defense-evasion:
name: command_prompt
command: ".\\bin\\#{exe_binary}\n"
- name: svchost writing a file to a UNC path
description: "svchost.exe writing a non-Microsoft Office file to a file with
a UNC path.\nUpon successful execution, this will rename cmd.exe as svchost.exe
and move it to `c:\\`, then execute svchost.exe with output to a txt file.
\n"
description: |
svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
supported_platforms:
- windows
executor:
@@ -12145,24 +12123,24 @@ defense-evasion:
'
- name: Msiexec.exe - Execute Arbitrary DLL
description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
installation.
'
description: |
Execute arbitrary DLL file stored locally. Commonly seen in application installation.
Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
By default, if the src folder is not in place, it will download the 64 bit version.
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to execute
type: Path
default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
default: PathToAtomicsFolder\T1218\src\x64\T1218.dll
dependency_executor_name: powershell
dependencies:
- description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
- description: T1218.dll must exist on disk at specified location (#{dll_payload})
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
executor:
name: command_prompt
command: 'msiexec.exe /y "#{dll_payload}"
@@ -14975,9 +14953,10 @@ privilege-escalation:
identifier: T1055
atomic_tests:
- name: Process Injection via mavinject.exe
description: "Windows 10 Utility To Inject DLLS.\n\nUpon successful execution,
powershell.exe will download T1055.dll to disk. Powershell will then spawn
mavinject.exe to perform process injection in T1055.dll. \n"
description: |
Windows 10 Utility To Inject DLLS.
Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
supported_platforms:
- windows
input_arguments:
@@ -15002,33 +14981,11 @@ privilege-escalation:
command: |
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING #{dll_payload}
- name: Process Injection via PowerSploit
description: |
PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to Inject
type: Path
default: T1055.dll
process_id:
description: PID of input_arguments
type: Integer
default: "(get-process spoolsv).id"
executor:
name: powershell
elevation_required: true
command: |
$mypid = #{process_id}
Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
- name: Shared Library Injection via /etc/ld.so.preload
description: "This test adds a shared library to the `ld.so.preload` list to
execute and intercept API calls. This technique was used by threat actor Rocke
during the exploitation of Linux web servers. This requires the `glibc` package.
\n\nUpon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon
successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
\n"
supported_platforms:
- linux
@@ -15083,10 +15040,9 @@ privilege-escalation:
name: command_prompt
command: ".\\bin\\#{exe_binary}\n"
- name: svchost writing a file to a UNC path
description: "svchost.exe writing a non-Microsoft Office file to a file with
a UNC path.\nUpon successful execution, this will rename cmd.exe as svchost.exe
and move it to `c:\\`, then execute svchost.exe with output to a txt file.
\n"
description: |
svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
supported_platforms:
- windows
executor:
@@ -24411,24 +24367,24 @@ execution:
'
- name: Msiexec.exe - Execute Arbitrary DLL
description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
installation.
'
description: |
Execute arbitrary DLL file stored locally. Commonly seen in application installation.
Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
By default, if the src folder is not in place, it will download the 64 bit version.
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to execute
type: Path
default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
default: PathToAtomicsFolder\T1218\src\x64\T1218.dll
dependency_executor_name: powershell
dependencies:
- description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
- description: T1218.dll must exist on disk at specified location (#{dll_payload})
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
executor:
name: command_prompt
command: 'msiexec.exe /y "#{dll_payload}"
atomics/linux-index.md
+4 -4
View File
@@ -186,8 +186,8 @@
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1014 Rootkit](./T1014/T1014.md)
@@ -329,8 +329,8 @@
# privilege-escalation
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
atomics/windows-index.md
+4 -6
View File
@@ -143,9 +143,8 @@
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #5: Process Injection via C# [windows]
- Atomic Test #6: svchost writing a file to a UNC path [windows]
- Atomic Test #4: Process Injection via C# [windows]
- Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -238,9 +237,8 @@
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #5: Process Injection via C# [windows]
- Atomic Test #6: svchost writing a file to a UNC path [windows]
- Atomic Test #4: Process Injection via C# [windows]
- Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]