Atomic Red Team doc generator
8.1 KiB
8.1 KiB
| 1 | Tactic | Technique # | Technique Name | Test # | Test Name | Test GUID | Executor Name |
|---|---|---|---|---|---|---|---|
| 2 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 46 | AWS - GuardDuty Suspension or Deletion | 11e65d8d-e7e4-470e-a3ff-82bc56ad938e | bash |
| 3 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 1 | AWS - CloudTrail Changes | 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e | sh |
| 4 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 2 | Azure - Eventhub Deletion | 5e09bed0-7d33-453b-9bf3-caea32bff719 | powershell |
| 5 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 4 | AWS - Disable CloudTrail Logging Through Event Selectors using Stratus | a27418de-bdce-4ebd-b655-38f11142bf0c | sh |
| 6 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 5 | AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus | 22d89a2f-d475-4895-b2d4-68626d49c029 | sh |
| 7 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 6 | AWS - Remove VPC Flow Logs using Stratus | 93c150f5-ad7b-4ee3-8992-df06dec2ac79 | sh |
| 8 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 7 | AWS - CloudWatch Log Group Deletes | 89422c87-b57b-4a04-a8ca-802bb9d06121 | sh |
| 9 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 8 | AWS CloudWatch Log Stream Deletes | 33ca84bc-4259-4943-bd36-4655dc420932 | sh |
| 10 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 10 | GCP - Delete Activity Event Log | d56152ec-01d9-42a2-877c-aac1f6ebe8e6 | sh |
| 11 | defense-evasion | T1578.001 | Modify Cloud Compute Infrastructure: Create Snapshot | 1 | AWS - Create Snapshot from EBS Volume | a3c09662-85bb-4ea8-b15b-6dc8a844e236 | sh |
| 12 | defense-evasion | T1578.001 | Modify Cloud Compute Infrastructure: Create Snapshot | 2 | Azure - Create Snapshot from Managed Disk | 89e69b4b-3458-4ec6-b819-b3008debc1bc | sh |
| 13 | defense-evasion | T1578.001 | Modify Cloud Compute Infrastructure: Create Snapshot | 3 | GCP - Create Snapshot from Persistent Disk | e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d | sh |
| 14 | defense-evasion | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 15 | defense-evasion | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 16 | defense-evasion | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 17 | credential-access | T1552.005 | Unsecured Credentials: Cloud Instance Metadata API | 2 | Azure - Dump Azure Instance Metadata from Virtual Machines | cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7 | powershell |
| 18 | credential-access | T1552 | Unsecured Credentials | 1 | AWS - Retrieve EC2 Password Data using stratus | a21118de-b11e-4ebd-b655-42f11142df0c | sh |
| 19 | credential-access | T1110.003 | Brute Force: Password Spraying | 9 | AWS - Password Spray an AWS using GoAWSConsoleSpray | 9c10d16b-20b1-403a-8e67-50ef7117ed4e | sh |
| 20 | credential-access | T1528 | Steal Application Access Token | 1 | Azure - Functions code upload - Functions code injection via Blob upload | 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43 | powershell |
| 21 | credential-access | T1528 | Steal Application Access Token | 2 | Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token | 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1 | powershell |
| 22 | credential-access | T1555.006 | Credentials from Password Stores: Cloud Secrets Management Stores | 1 | Azure - Dump All Azure Key Vaults with Microburst | 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea | powershell |
| 23 | impact | T1485 | Data Destruction | 4 | GCP - Delete Bucket | 4ac71389-40f4-448a-b73f-754346b3f928 | sh |
| 24 | discovery | T1580 | Cloud Infrastructure Discovery | 1 | AWS - EC2 Enumeration from Cloud Instance | 99ee161b-dcb1-4276-8ecb-7cfdcb207820 | sh |
| 25 | discovery | T1580 | Cloud Infrastructure Discovery | 2 | AWS - EC2 Security Group Enumeration | 99b38f24-5acc-4aa3-85e5-b7f97a5d37ac | command_prompt |
| 26 | discovery | T1619 | Cloud Storage Object Discovery | 1 | AWS S3 Enumeration | 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 | sh |
| 27 | discovery | T1619 | Cloud Storage Object Discovery | 2 | Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI | 070322a4-2c60-4c50-8ffb-c450a34fe7bf | powershell |
| 28 | discovery | T1619 | Cloud Storage Object Discovery | 3 | Azure - Scan for Anonymous Access to Azure Storage (Powershell) | 146af1f1-b74e-4aa7-9895-505eb559b4b0 | powershell |
| 29 | discovery | T1619 | Cloud Storage Object Discovery | 4 | Azure - Enumerate Azure Blobs with MicroBurst | 3dab4bcc-667f-4459-aea7-4162dd2d6590 | powershell |
| 30 | discovery | T1201 | Password Policy Discovery | 12 | Examine AWS Password Policy | 15330820-d405-450b-bd08-16b5be5be9f4 | sh |
| 31 | discovery | T1526 | Cloud Service Discovery | 1 | Azure - Dump Subscription Data with MicroBurst | 1e40bb1d-195e-401e-a86b-c192f55e005c | powershell |
| 32 | discovery | T1526 | Cloud Service Discovery | 2 | AWS - Enumerate common cloud services | aa8b9bcc-46fa-4a59-9237-73c7b93a980c | powershell |
| 33 | discovery | T1526 | Cloud Service Discovery | 3 | Azure - Enumerate common cloud services | 58f57c8f-db14-4e62-a4d3-5aaf556755d7 | powershell |
| 34 | collection | T1530 | Data from Cloud Storage Object | 1 | AWS - Scan for Anonymous Access to S3 | 979356b9-b588-4e49-bba4-c35517c484f5 | sh |
| 35 | collection | T1530 | Data from Cloud Storage Object | 2 | Azure - Dump Azure Storage Account Objects via Azure CLI | 67374845-b4c8-4204-adcc-9b217b65d4f1 | powershell |
| 36 | persistence | T1098.001 | Account Manipulation: Additional Cloud Credentials | 3 | AWS - Create Access Key and Secret Key | 8822c3b0-d9f9-4daf-a043-491160a31122 | sh |
| 37 | persistence | T1136.003 | Create Account: Cloud Account | 1 | AWS - Create a new IAM user | 8d1c2368-b503-40c9-9057-8e42f21c58ad | sh |
| 38 | persistence | T1098 | Account Manipulation | 3 | AWS - Create a group and add a user to that group | 8822c3b0-d9f9-4daf-a043-49f110a31122 | sh |
| 39 | persistence | T1098 | Account Manipulation | 6 | Azure - adding user to Azure role in subscription | 1a94b3fc-b080-450a-b3d8-6d9b57b472ea | powershell |
| 40 | persistence | T1098 | Account Manipulation | 7 | Azure - adding service principal to Azure role in subscription | c8f4bc29-a151-48da-b3be-4680af56f404 | powershell |
| 41 | persistence | T1098 | Account Manipulation | 17 | GCP - Delete Service Account Key | 7ece1dea-49f1-4d62-bdcc-5801e3292510 | sh |
| 42 | persistence | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 43 | persistence | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 44 | persistence | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 45 | privilege-escalation | T1098.001 | Account Manipulation: Additional Cloud Credentials | 3 | AWS - Create Access Key and Secret Key | 8822c3b0-d9f9-4daf-a043-491160a31122 | sh |
| 46 | privilege-escalation | T1098 | Account Manipulation | 3 | AWS - Create a group and add a user to that group | 8822c3b0-d9f9-4daf-a043-49f110a31122 | sh |
| 47 | privilege-escalation | T1098 | Account Manipulation | 6 | Azure - adding user to Azure role in subscription | 1a94b3fc-b080-450a-b3d8-6d9b57b472ea | powershell |
| 48 | privilege-escalation | T1098 | Account Manipulation | 7 | Azure - adding service principal to Azure role in subscription | c8f4bc29-a151-48da-b3be-4680af56f404 | powershell |
| 49 | privilege-escalation | T1098 | Account Manipulation | 17 | GCP - Delete Service Account Key | 7ece1dea-49f1-4d62-bdcc-5801e3292510 | sh |
| 50 | privilege-escalation | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 51 | privilege-escalation | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 52 | privilege-escalation | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 53 | initial-access | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 54 | initial-access | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 55 | initial-access | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 56 | execution | T1651 | Cloud Administration Command | 1 | AWS Run Command (and Control) | a3cc9c95-c160-4b86-af6f-84fba87bfd30 | powershell |
| 57 | execution | T1648 | Serverless Execution | 1 | Lambda Function Hijack | 87a4a141-c2bb-49d1-a604-8679082d8b91 | powershell |