security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2023-09-19 19:41:40 +00:00
parent d604c832de
commit fc49b11d8e
9 changed files with 98 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -265,6 +265,7 @@ defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa
defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
265 defense-evasion T1112 Modify Registry 56 Snake Malware Registry Blob 8318ad20-0488-4a64-98f4-72525a012f6b powershell
266 defense-evasion T1112 Modify Registry 57 Allow Simultaneous Download Registry 37950714-e923-4f92-8c7c-51e4b6fffbf6 command_prompt
267 defense-evasion T1112 Modify Registry 58 Modify Internet Zone Protocol Defaults in Current User Registry - cmd c88ef166-50fa-40d5-a80c-e2b87d4180f7 command_prompt
268 defense-evasion T1112 Modify Registry 59 Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell b1a4d687-ba52-4057-81ab-757c3dc0d3b5 powershell
269 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
270 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
271 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 2 Pad Binary to Change Hash using truncate command - Linux/macOS e22a9e89-69c7-410f-a473-e6c212cd2292 sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -188,6 +188,7 @@ defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa
defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
188 defense-evasion T1112 Modify Registry 56 Snake Malware Registry Blob 8318ad20-0488-4a64-98f4-72525a012f6b powershell
189 defense-evasion T1112 Modify Registry 57 Allow Simultaneous Download Registry 37950714-e923-4f92-8c7c-51e4b6fffbf6 command_prompt
190 defense-evasion T1112 Modify Registry 58 Modify Internet Zone Protocol Defaults in Current User Registry - cmd c88ef166-50fa-40d5-a80c-e2b87d4180f7 command_prompt
191 defense-evasion T1112 Modify Registry 59 Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell b1a4d687-ba52-4057-81ab-757c3dc0d3b5 powershell
192 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
193 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
194 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -348,6 +348,7 @@
- Atomic Test #56: Snake Malware Registry Blob [windows]
- Atomic Test #57: Allow Simultaneous Download Registry [windows]
- Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
- Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -254,6 +254,7 @@
- Atomic Test #56: Snake Malware Registry Blob [windows]
- Atomic Test #57: Allow Simultaneous Download Registry [windows]
- Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
- Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/index.yaml
+23
View File
@@ -12856,6 +12856,29 @@ defense-evasion:
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 3 /F
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 3 /F
name: command_prompt
- name: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
auto_generated_guid: b1a4d687-ba52-4057-81ab-757c3dc0d3b5
description: "This test simulates an adversary modifying the Internet Zone Protocol
Defaults in the registry of the currently logged-in user using PowerShell.
Such modifications can be indicative of an adversary attempting to weaken
browser security settings. \nTo verify the effects of the test:\n1. Open the
Registry Editor (regedit.exe).\n2. Navigate to \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\ZoneMap\\ProtocolDefaults\".\n3. Check for the presence of the \"http\"
and \"https\" DWORD values set to `0`.\nOr run:\n```powershell\nGet-ItemProperty
-Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults'
| Select-Object http,https\n```\n"
supported_platforms:
- windows
executor:
command: |
# Set the registry values for http and https to 0
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 0
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 0
cleanup_command: |
# Restore the registry values for http and https to 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3
name: powershell
T1574.008:
technique:
modified: '2023-03-30T21:01:44.781Z'
atomics/Indexes/windows-index.yaml
+23
View File
@@ -10734,6 +10734,29 @@ defense-evasion:
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 3 /F
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 3 /F
name: command_prompt
- name: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
auto_generated_guid: b1a4d687-ba52-4057-81ab-757c3dc0d3b5
description: "This test simulates an adversary modifying the Internet Zone Protocol
Defaults in the registry of the currently logged-in user using PowerShell.
Such modifications can be indicative of an adversary attempting to weaken
browser security settings. \nTo verify the effects of the test:\n1. Open the
Registry Editor (regedit.exe).\n2. Navigate to \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings\\ZoneMap\\ProtocolDefaults\".\n3. Check for the presence of the \"http\"
and \"https\" DWORD values set to `0`.\nOr run:\n```powershell\nGet-ItemProperty
-Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults'
| Select-Object http,https\n```\n"
supported_platforms:
- windows
executor:
command: |
# Set the registry values for http and https to 0
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 0
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 0
cleanup_command: |
# Restore the registry values for http and https to 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3
name: powershell
T1574.008:
technique:
modified: '2023-03-30T21:01:44.781Z'
atomics/T1112/T1112.md
+46
View File
@@ -126,6 +126,8 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #58 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd](#atomic-test-58---modify-internet-zone-protocol-defaults-in-current-user-registry---cmd)
- [Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell](#atomic-test-59---modify-internet-zone-protocol-defaults-in-current-user-registry---powershell)
<br/>
@@ -2152,4 +2154,48 @@ reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Se
<br/>
<br/>
## Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using PowerShell. Such modifications can be indicative of an adversary attempting to weaken browser security settings.
To verify the effects of the test:
1. Open the Registry Editor (regedit.exe).
2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults".
3. Check for the presence of the "http" and "https" DWORD values set to `0`.
Or run:
```powershell
Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' | Select-Object http,https
```
**Supported Platforms:** Windows
**auto_generated_guid:** b1a4d687-ba52-4057-81ab-757c3dc0d3b5
#### Attack Commands: Run with `powershell`!
```powershell
# Set the registry values for http and https to 0
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 0
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 0
```
#### Cleanup Commands:
```powershell
# Restore the registry values for http and https to 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3
```
<br/>