Atomic Red Team doc generator
13 KiB
13 KiB
Google Workspace Atomic Tests by ATT&CK Tactic & Technique
credential-access
- T1110.001 Brute Force: Password Guessing CONTRIBUTE A TEST
- T1539 Steal Web Session Cookie CONTRIBUTE A TEST
- T1110.002 Brute Force: Password Cracking CONTRIBUTE A TEST
- T1606.002 Forge Web Credentials: SAML token CONTRIBUTE A TEST
- T1552 Unsecured Credentials CONTRIBUTE A TEST
- T1556.007 Hybrid Identity CONTRIBUTE A TEST
- T1110.003 Brute Force: Password Spraying CONTRIBUTE A TEST
- T1528 Steal Application Access Token CONTRIBUTE A TEST
- T1606 Forge Web Credentials CONTRIBUTE A TEST
- T1621 Multi-Factor Authentication Request Generation CONTRIBUTE A TEST
- T1552.008 Chat Messages CONTRIBUTE A TEST
- T1110 Brute Force CONTRIBUTE A TEST
- T1110.004 Brute Force: Credential Stuffing CONTRIBUTE A TEST
- T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
- T1556 Modify Authentication Process CONTRIBUTE A TEST
collection
- T1213.002 Sharepoint CONTRIBUTE A TEST
- T1114 Email Collection CONTRIBUTE A TEST
- T1119 Automated Collection CONTRIBUTE A TEST
- T1530 Data from Cloud Storage Object CONTRIBUTE A TEST
- T1114.003 Email Collection: Email Forwarding Rule CONTRIBUTE A TEST
- T1114.002 Email Collection: Remote Email Collection CONTRIBUTE A TEST
- T1213 Data from Information Repositories CONTRIBUTE A TEST
- T1213.005 Messaging Applications CONTRIBUTE A TEST
defense-evasion
- T1564.008 Hide Artifacts: Email Hiding Rules CONTRIBUTE A TEST
- T1564 Hide Artifacts CONTRIBUTE A TEST
- T1562 Impair Defenses CONTRIBUTE A TEST
- T1070.008 Email Collection: Mailbox Manipulation CONTRIBUTE A TEST
- T1550 Use Alternate Authentication Material CONTRIBUTE A TEST
- T1556.007 Hybrid Identity CONTRIBUTE A TEST
- T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
- T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
- T1548.005 Temporary Elevated Cloud Access CONTRIBUTE A TEST
- T1070 Indicator Removal on Host CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
- T1550.004 Web Session Cookie CONTRIBUTE A TEST
- T1656 Impersonation CONTRIBUTE A TEST
- T1562.008 Impair Defenses: Disable Cloud Logs CONTRIBUTE A TEST
- T1036.010 Masquerade Account Name CONTRIBUTE A TEST
- T1672 Email Spoofing CONTRIBUTE A TEST
- T1550.001 Application Access Token CONTRIBUTE A TEST
- T1078.004 Valid Accounts: Cloud Accounts
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- T1556 Modify Authentication Process CONTRIBUTE A TEST
discovery
- T1069 Permission Groups Discovery CONTRIBUTE A TEST
- T1069.003 Cloud Groups CONTRIBUTE A TEST
- T1087.003 Email Account CONTRIBUTE A TEST
- T1087 Account Discovery CONTRIBUTE A TEST
- T1087.004 Cloud Account CONTRIBUTE A TEST
- T1201 Password Policy Discovery CONTRIBUTE A TEST
- T1526 Cloud Service Discovery CONTRIBUTE A TEST
- T1538 Cloud Service Dashboard CONTRIBUTE A TEST
lateral-movement
- T1080 Taint Shared Content CONTRIBUTE A TEST
- T1550 Use Alternate Authentication Material CONTRIBUTE A TEST
- T1021.007 Cloud Services CONTRIBUTE A TEST
- T1534 Internal Spearphishing CONTRIBUTE A TEST
- T1550.004 Web Session Cookie CONTRIBUTE A TEST
- T1550.001 Application Access Token CONTRIBUTE A TEST
initial-access
- T1566.002 Phishing: Spearphishing Link CONTRIBUTE A TEST
- T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
- T1199 Trusted Relationship CONTRIBUTE A TEST
- T1566 Phishing CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1078.004 Valid Accounts: Cloud Accounts
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
persistence
- T1137 Office Application Startup CONTRIBUTE A TEST
- T1098.003 Account Manipulation: Additional Cloud Roles CONTRIBUTE A TEST
- T1137.006 Office Application Startup: Add-ins CONTRIBUTE A TEST
- T1137.005 Outlook Rules CONTRIBUTE A TEST
- T1556.007 Hybrid Identity CONTRIBUTE A TEST
- T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
- T1137.001 Office Application Startup: Office Template Macros. CONTRIBUTE A TEST
- T1136.003 Create Account: Cloud Account CONTRIBUTE A TEST
- T1098 Account Manipulation CONTRIBUTE A TEST
- T1137.003 Outlook Forms CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
- T1546 Event Triggered Execution CONTRIBUTE A TEST
- T1137.004 Office Application Startup: Outlook Home Page CONTRIBUTE A TEST
- T1671 Cloud Application Integration CONTRIBUTE A TEST
- T1136 Create Account CONTRIBUTE A TEST
- T1098.002 Account Manipulation: Additional Email Delegate Permissions CONTRIBUTE A TEST
- T1137.002 Office Application Startup: Office Test CONTRIBUTE A TEST
- T1078.004 Valid Accounts: Cloud Accounts
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- T1556 Modify Authentication Process CONTRIBUTE A TEST
privilege-escalation
- T1098.003 Account Manipulation: Additional Cloud Roles CONTRIBUTE A TEST
- T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
- T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
- T1548.005 Temporary Elevated Cloud Access CONTRIBUTE A TEST
- T1098 Account Manipulation CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1546 Event Triggered Execution CONTRIBUTE A TEST
- T1098.002 Account Manipulation: Additional Email Delegate Permissions CONTRIBUTE A TEST
- T1078.004 Valid Accounts: Cloud Accounts
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
exfiltration
- T1567 Exfiltration Over Web Service CONTRIBUTE A TEST
- T1567.004 Exfiltration Over Webhook CONTRIBUTE A TEST
- T1048 Exfiltration Over Alternative Protocol CONTRIBUTE A TEST
- T1537 Transfer Data to Cloud Account CONTRIBUTE A TEST
execution
- T1059.009 Cloud API CONTRIBUTE A TEST
- T1059 Command and Scripting Interpreter CONTRIBUTE A TEST
- T1648 Serverless Execution CONTRIBUTE A TEST
impact
- T1657 Financial Theft CONTRIBUTE A TEST
- T1531 Account Access Removal CONTRIBUTE A TEST
- T1667 Email Bombing CONTRIBUTE A TEST