security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix nesting and remove empty entries (#2825)

Browse Source 
* fix nesting and remove empty entries

* missed an indent correction

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Phil Hagen
2024-07-03 17:31:05 -05:00
committed by GitHub
parent 87b5a285ca
commit fd399bb6ed
14 changed files with 171 additions and 174 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1001.002/T1001.002.yaml
+52 -52
View File
@@ -35,36 +35,36 @@ atomic_tests:
default: $env:TEMP\random_passwords.txt
dependency_executor_name: powershell
dependencies:
- description: |
Image file must exist
prereq_command: |
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
- description: |
File to hide within tarz file must exist
prereq_command: |
if (!(Test-Path "#{passwords_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
Write-Output "Generating random passwords and saving to file..."
$passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
$passwords | Out-File -FilePath "#{passwords_file}"
- description: |
Tarz file to embed in image must exist
prereq_command: |
if (!(Test-Path "#{tar_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
Write-Output "Generating tarz file..."
tar -cvf "#{tar_file}" "#{passwords_file}"
- description: |
Image file must exist
prereq_command: |
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
- description: |
File to hide within tarz file must exist
prereq_command: |
if (!(Test-Path "#{passwords_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
Write-Output "Generating random passwords and saving to file..."
$passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
$passwords | Out-File -FilePath "#{passwords_file}"
- description: |
Tarz file to embed in image must exist
prereq_command: |
if (!(Test-Path "#{tar_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
Write-Output "Generating tarz file..."
tar -cvf "#{tar_file}" "#{passwords_file}"
executor:
name: powershell
elevation_required: true
@@ -101,28 +101,28 @@ atomic_tests:
default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1
dependency_executor_name: powershell
dependencies:
- description: |
Image file must exist
prereq_command: |
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
- description: |
Extract-Invoke-PSImage must exist
prereq_command: |
if (!(Test-Path "#{psimage_script}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
$scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
- description: |
Image file must exist
prereq_command: |
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
- description: |
Extract-Invoke-PSImage must exist
prereq_command: |
if (!(Test-Path "#{psimage_script}")) {exit 1} else {
{exit 0}
}
get_prereq_command: |
New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
$scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
executor:
name: powershell
elevation_required: true
atomics/T1055.011/T1055.011.yaml
+6 -6
View File
@@ -21,12 +21,12 @@ atomic_tests:
default: PathToAtomicsFolder\T1055.011\bin\payload.exe_#{arch}.bin
dependency_executor_name: powershell
dependencies:
- description: "T1055.011x64.exe and payload must exist on disk at specified location (#{exe_binary} and #{payload_file})"
prereq_command: "if (Test-Path #{exe_binary}) {exit 0} else {exit 1}"
get_prereq_command: |-
New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/T1055.011_#{arch}.exe" -OutFile "#{exe_binary}" -UseBasicParsing
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/payload.exe_#{arch}.bin" -OutFile "#{payload_file}" -UseBasicParsing
- description: "T1055.011x64.exe and payload must exist on disk at specified location (#{exe_binary} and #{payload_file})"
prereq_command: "if (Test-Path #{exe_binary}) {exit 0} else {exit 1}"
get_prereq_command: |-
New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/T1055.011_#{arch}.exe" -OutFile "#{exe_binary}" -UseBasicParsing
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/payload.exe_#{arch}.bin" -OutFile "#{payload_file}" -UseBasicParsing
executor:
command: |-
#{exe_binary}
atomics/T1059.006/T1059.006.yaml
+27 -27
View File
@@ -25,12 +25,12 @@ atomic_tests:
default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
dependency_executor_name: sh
dependencies:
- description: Verify if python is in the environment variable path and attempt to import requests library.
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
- description: Verify if python is in the environment variable path and attempt to import requests library.
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |
which_python=$(which python || which python3 || which python3.9 || which python2)
@@ -67,13 +67,13 @@ atomic_tests:
default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
dependency_executor_name: sh
dependencies:
- description: |
Requires Python
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
- description: |
Requires Python
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |
which_python=$(which python || which python3 || which python3.9 || which python2)
@@ -124,13 +124,13 @@ atomic_tests:
default: T1059.006.pyc
dependency_executor_name: sh
dependencies:
- description: |
Requires Python
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
- description: |
Requires Python
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |
which_python=$(which python || which python3 || which python3.9 || which python2)
@@ -156,13 +156,13 @@ atomic_tests:
supported_platforms:
- linux
dependencies:
- description: |
Verify if python is in the environment variable path and attempt to import requests library.
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
- description: |
Verify if python is in the environment variable path and attempt to import requests library.
prereq_command: |
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |-
which_python=$(which python || which python3 || which python3.9 || which python2)
atomics/T1072/T1072.yaml
+9 -9
View File
@@ -75,15 +75,15 @@ atomic_tests:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Chocolatey must be installed to deploy 7-Zip.
prereq_command: |
if (Test-Path "${env:ProgramFiles(x86)}\Chocolatey\choco.exe") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading Chocolatey installer
Invoke-WebRequest -Uri "https://chocolatey.org/install.ps1" -OutFile "chocolatey-install.ps1"
Write-Host Installing Chocolatey
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File chocolatey-install.ps1" -Wait
- description: |
Chocolatey must be installed to deploy 7-Zip.
prereq_command: |
if (Test-Path "${env:ProgramFiles(x86)}\Chocolatey\choco.exe") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading Chocolatey installer
Invoke-WebRequest -Uri "https://chocolatey.org/install.ps1" -OutFile "chocolatey-install.ps1"
Write-Host Installing Chocolatey
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File chocolatey-install.ps1" -Wait
executor:
name: powershell
elevation_required: false
atomics/T1201/T1201.yaml
+6 -6
View File
@@ -138,12 +138,12 @@ atomic_tests:
supported_platforms:
- iaas:aws
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
executor:
command: |
aws iam get-account-password-policy
atomics/T1202/T1202.yaml
-1
View File
@@ -71,7 +71,6 @@ atomic_tests:
type: String
default: C:\Windows\System32\calc.exe
dependency_executor_name:
dependencies:
executor:
command: Scriptrunner.exe -appvscript "#{payload_path}"
cleanup_command:
atomics/T1218.011/T1218.011.yaml
-1
View File
@@ -353,7 +353,6 @@ atomic_tests:
type: path
default: "'%windir%\\System32\\calc.exe'"
dependency_executor_name:
dependencies:
executor:
command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}"
cleanup_command:
atomics/T1486/T1486.yaml
+18 -18
View File
@@ -261,14 +261,14 @@ atomic_tests:
type: path
default: '$env:temp\test.txt'
dependencies:
- description: |
GPG must exist at (#{GPG_Exe_Location})
prereq_command: |
if (test-path '#{GPG_Exe_Location}'){exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe"
cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S
- description: |
GPG must exist at (#{GPG_Exe_Location})
prereq_command: |
if (test-path '#{GPG_Exe_Location}'){exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe"
cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S
executor:
name: powershell
elevation_required: false
@@ -290,16 +290,16 @@ atomic_tests:
default: 'dcrypt.exe'
dependency_executor_name: powershell
dependencies:
- description: |
dcrypt_setup will be installed at specified location (#{dcrypt_exe})
prereq_command: |
if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading DiskCryptor installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe"
Write-Host Install DiskCryptor
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s"
- description: |
dcrypt_setup will be installed at specified location (#{dcrypt_exe})
prereq_command: |
if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading DiskCryptor installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe"
Write-Host Install DiskCryptor
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s"
executor:
name: command_prompt
elevation_required: true
atomics/T1562.001/T1562.001.yaml
+6 -6
View File
@@ -79,12 +79,12 @@ atomic_tests:
supported_platforms:
- linux
dependencies:
- description: |
SELinux must be installed
prereq_command: |
which setenforce
get_prereq_command: |
echo "SELinux is not installed"; exit 1
- description: |
SELinux must be installed
prereq_command: |
which setenforce
get_prereq_command: |
echo "SELinux is not installed"; exit 1
executor:
command: |
setenforce 0
atomics/T1562.008/T1562.008.yaml
+20 -20
View File
@@ -21,26 +21,26 @@ atomic_tests:
type: string
default: "us-east-1"
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS default profile using: aws configure
- description: |
Check if terraform is installed.
prereq_command: |
terraform version
get_prereq_command: |
echo Please install the terraform and configure your aws default profile
- description: |
Check if the dependency resources are already present.
prereq_command: |
if [ -f "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
terraform init
terraform apply -auto-approve
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS default profile using: aws configure
- description: |
Check if terraform is installed.
prereq_command: |
terraform version
get_prereq_command: |
echo Please install the terraform and configure your aws default profile
- description: |
Check if the dependency resources are already present.
prereq_command: |
if [ -f "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
terraform init
terraform apply -auto-approve
executor:
command: |
aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region}
atomics/T1571/T1571.yaml
+6 -6
View File
@@ -39,12 +39,12 @@ atomic_tests:
default: google.com
dependency_executor_name: sh
dependencies:
- description: |
Requires telnet
prereq_command: |
which telnet
get_prereq_command: |
echo "please install telnet to run this test"; exit 1
- description: |
Requires telnet
prereq_command: |
which telnet
get_prereq_command: |
echo "please install telnet to run this test"; exit 1
executor:
command: |
echo quit | telnet #{domain} #{port}
atomics/T1580/T1580.yaml
+15 -15
View File
@@ -76,18 +76,18 @@ atomic_tests:
aws ec2 describe-security-groups --profile #{aws_profile} --output #{output_format}
dependencies:
- description: AWS CLI installed and configured with the necessary access rights.
prereq_command: type aws || aws --version
get_prereq_command: |
if [ "$(uname)" = "Darwin" ] || [ "$(expr substr $(uname) 1 5)" = "Linux" ]; then
curl "https://aws.amazon.com/cli/" -o "Install-AWSCLI.sh" && sh Install-AWSCLI.sh
elif [ "$(expr substr $(uname) 1 5)" = "MINGW" ]; then
Invoke-WebRequest -Uri "https://aws.amazon.com/cli/" -OutFile "Install-AWSCLI.ps1"; .\Install-AWSCLI.ps1
fi
- description: Check if AWS CLI is installed and configured.
prereq_command: |
aws sts get-caller-identity --profile #{aws_profile}
get_prereq_command: |
if ! aws sts get-caller-identity --profile #{aws_profile}; then
echo "AWS CLI not properly configured. Please configure AWS CLI."
fi
- description: AWS CLI installed and configured with the necessary access rights.
prereq_command: type aws || aws --version
get_prereq_command: |
if [ "$(uname)" = "Darwin" ] || [ "$(expr substr $(uname) 1 5)" = "Linux" ]; then
curl "https://aws.amazon.com/cli/" -o "Install-AWSCLI.sh" && sh Install-AWSCLI.sh
elif [ "$(expr substr $(uname) 1 5)" = "MINGW" ]; then
Invoke-WebRequest -Uri "https://aws.amazon.com/cli/" -OutFile "Install-AWSCLI.ps1"; .\Install-AWSCLI.ps1
fi
- description: Check if AWS CLI is installed and configured.
prereq_command: |
aws sts get-caller-identity --profile #{aws_profile}
get_prereq_command: |
if ! aws sts get-caller-identity --profile #{aws_profile}; then
echo "AWS CLI not properly configured. Please configure AWS CLI."
fi
atomics/T1619/T1619.yaml
+6 -6
View File
@@ -9,12 +9,12 @@ atomic_tests:
supported_platforms:
- iaas:aws
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS default profile using: aws configure
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo Please install the aws-cli and configure your AWS default profile using: aws configure
executor:
command: |
for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2 --bucket $bucket --output text; done
atomics/T1652/T1652.yaml
-1
View File
@@ -13,7 +13,6 @@ atomic_tests:
- windows
input_arguments:
dependency_executor_name:
dependencies:
executor:
command: |
driverquery /v /fo list