CircleCI Atomic Red Team doc generator
11 KiB
11 KiB
| 1 | Tactic | Technique # | Technique Name | Test # | Test Name |
|---|---|---|---|---|---|
| 2 | persistence | T1156 | .bash_profile and .bashrc | 1 | Add command to .bash_profile |
| 3 | persistence | T1156 | .bash_profile and .bashrc | 2 | Add command to .bashrc |
| 4 | persistence | T1176 | Browser Extensions | 1 | Chrome (Developer Mode) |
| 5 | persistence | T1176 | Browser Extensions | 2 | Chrome (Chrome Web Store) |
| 6 | persistence | T1176 | Browser Extensions | 3 | Firefox |
| 7 | persistence | T1136 | Create Account | 1 | Create a user account on a Linux system |
| 8 | persistence | T1136 | Create Account | 5 | Create a new user in Linux with `root` UID and GID. |
| 9 | persistence | T1158 | Hidden Files and Directories | 1 | Create a hidden file in a hidden directory |
| 10 | persistence | T1215 | Kernel Modules and Extensions | 1 | Linux - Load Kernel Module via insmod |
| 11 | persistence | T1168 | Local Job Scheduling | 1 | Cron - Replace crontab with referenced file |
| 12 | persistence | T1168 | Local Job Scheduling | 2 | Cron - Add script to cron folder |
| 13 | persistence | T1168 | Local Job Scheduling | 3 | Event Monitor Daemon Persistence |
| 14 | persistence | T1166 | Setuid and Setgid | 1 | Make and modify binary from C source |
| 15 | persistence | T1166 | Setuid and Setgid | 2 | Set a SetUID flag on file |
| 16 | persistence | T1166 | Setuid and Setgid | 3 | Set a SetGID flag on file |
| 17 | persistence | T1501 | Systemd Service | 1 | Create Systemd Service |
| 18 | persistence | T1154 | Trap | 1 | Trap |
| 19 | impact | T1485 | Data Destruction | 2 | macOS/Linux - Overwrite file with DD |
| 20 | impact | T1496 | Resource Hijacking | 1 | macOS/Linux - Simulate CPU Load with Yes |
| 21 | impact | T1529 | System Shutdown/Reboot | 3 | Restart System via `shutdown` - macOS/Linux |
| 22 | impact | T1529 | System Shutdown/Reboot | 4 | Shutdown System via `shutdown` - macOS/Linux |
| 23 | impact | T1529 | System Shutdown/Reboot | 5 | Restart System via `reboot` - macOS/Linux |
| 24 | impact | T1529 | System Shutdown/Reboot | 6 | Shutdown System via `halt` - Linux |
| 25 | impact | T1529 | System Shutdown/Reboot | 7 | Reboot System via `halt` - Linux |
| 26 | impact | T1529 | System Shutdown/Reboot | 8 | Shutdown System via `poweroff` - Linux |
| 27 | impact | T1529 | System Shutdown/Reboot | 9 | Reboot System via `poweroff` - Linux |
| 28 | discovery | T1087 | Account Discovery | 1 | Enumerate all accounts |
| 29 | discovery | T1087 | Account Discovery | 2 | View sudoers access |
| 30 | discovery | T1087 | Account Discovery | 3 | View accounts with UID 0 |
| 31 | discovery | T1087 | Account Discovery | 4 | List opened files by user |
| 32 | discovery | T1087 | Account Discovery | 5 | Show if a user account has ever logged in remotely |
| 33 | discovery | T1087 | Account Discovery | 6 | Enumerate users and groups |
| 34 | discovery | T1217 | Browser Bookmark Discovery | 1 | List Mozilla Firefox Bookmark Database Files on Linux |
| 35 | discovery | T1083 | File and Directory Discovery | 3 | Nix File and Diectory Discovery |
| 36 | discovery | T1083 | File and Directory Discovery | 4 | Nix File and Directory Discovery 2 |
| 37 | discovery | T1046 | Network Service Scanning | 1 | Port Scan |
| 38 | discovery | T1046 | Network Service Scanning | 2 | Port Scan Nmap |
| 39 | discovery | T1135 | Network Share Discovery | 1 | Network Share Discovery |
| 40 | discovery | T1040 | Network Sniffing | 1 | Packet Capture Linux |
| 41 | discovery | T1201 | Password Policy Discovery | 1 | Examine password complexity policy - Ubuntu |
| 42 | discovery | T1201 | Password Policy Discovery | 2 | Examine password complexity policy - CentOS/RHEL 7.x |
| 43 | discovery | T1201 | Password Policy Discovery | 3 | Examine password complexity policy - CentOS/RHEL 6.x |
| 44 | discovery | T1201 | Password Policy Discovery | 4 | Examine password expiration policy - All Linux |
| 45 | discovery | T1069 | Permission Groups Discovery | 1 | Permission Groups Discovery |
| 46 | discovery | T1057 | Process Discovery | 1 | Process Discovery - ps |
| 47 | discovery | T1018 | Remote System Discovery | 6 | Remote System Discovery - arp nix |
| 48 | discovery | T1018 | Remote System Discovery | 7 | Remote System Discovery - sweep |
| 49 | discovery | T1082 | System Information Discovery | 2 | System Information Discovery |
| 50 | discovery | T1082 | System Information Discovery | 3 | List OS Information |
| 51 | discovery | T1082 | System Information Discovery | 4 | Linux VM Check via Hardware |
| 52 | discovery | T1082 | System Information Discovery | 5 | Linux VM Check via Kernel Modules |
| 53 | discovery | T1082 | System Information Discovery | 7 | Hostname Discovery |
| 54 | discovery | T1016 | System Network Configuration Discovery | 3 | System Network Configuration Discovery |
| 55 | discovery | T1049 | System Network Connections Discovery | 3 | System Network Connections Discovery Linux & MacOS |
| 56 | discovery | T1033 | System Owner/User Discovery | 2 | System Owner/User Discovery |
| 57 | credential-access | T1139 | Bash History | 1 | Search Through Bash History |
| 58 | credential-access | T1081 | Credentials in Files | 2 | Extract passwords with grep |
| 59 | credential-access | T1040 | Network Sniffing | 1 | Packet Capture Linux |
| 60 | credential-access | T1145 | Private Keys | 2 | Discover Private SSH Keys |
| 61 | credential-access | T1145 | Private Keys | 3 | Copy Private SSH Keys with CP |
| 62 | credential-access | T1145 | Private Keys | 4 | Copy Private SSH Keys with rsync |
| 63 | defense-evasion | T1009 | Binary Padding | 1 | Pad Binary to Change Hash - Linux/macOS dd |
| 64 | defense-evasion | T1146 | Clear Command History | 1 | Clear Bash history (rm) |
| 65 | defense-evasion | T1146 | Clear Command History | 2 | Clear Bash history (echo) |
| 66 | defense-evasion | T1146 | Clear Command History | 3 | Clear Bash history (cat dev/null) |
| 67 | defense-evasion | T1146 | Clear Command History | 4 | Clear Bash history (ln dev/null) |
| 68 | defense-evasion | T1146 | Clear Command History | 5 | Clear Bash history (truncate) |
| 69 | defense-evasion | T1146 | Clear Command History | 6 | Clear history of a bunch of shells |
| 70 | defense-evasion | T1090 | Connection Proxy | 1 | Connection Proxy |
| 71 | defense-evasion | T1089 | Disabling Security Tools | 1 | Disable iptables firewall |
| 72 | defense-evasion | T1089 | Disabling Security Tools | 2 | Disable syslog |
| 73 | defense-evasion | T1089 | Disabling Security Tools | 3 | Disable Cb Response |
| 74 | defense-evasion | T1089 | Disabling Security Tools | 4 | Disable SELinux |
| 75 | defense-evasion | T1107 | File Deletion | 1 | Delete a single file - Linux/macOS |
| 76 | defense-evasion | T1107 | File Deletion | 2 | Delete an entire folder - Linux/macOS |
| 77 | defense-evasion | T1107 | File Deletion | 3 | Overwrite and delete a file with shred |
| 78 | defense-evasion | T1107 | File Deletion | 8 | Delete Filesystem - Linux |
| 79 | defense-evasion | T1222 | File and Directory Permissions Modification | 8 | chmod - Change file or folder mode (numeric mode) |
| 80 | defense-evasion | T1222 | File and Directory Permissions Modification | 9 | chmod - Change file or folder mode (symbolic mode) |
| 81 | defense-evasion | T1222 | File and Directory Permissions Modification | 10 | chmod - Change file or folder mode (numeric mode) recursively |
| 82 | defense-evasion | T1222 | File and Directory Permissions Modification | 11 | chmod - Change file or folder mode (symbolic mode) recursively |
| 83 | defense-evasion | T1222 | File and Directory Permissions Modification | 12 | chown - Change file or folder ownership and group |
| 84 | defense-evasion | T1222 | File and Directory Permissions Modification | 13 | chown - Change file or folder ownership and group recursively |
| 85 | defense-evasion | T1222 | File and Directory Permissions Modification | 14 | chown - Change file or folder mode ownership only |
| 86 | defense-evasion | T1222 | File and Directory Permissions Modification | 15 | chown - Change file or folder ownership recursively |
| 87 | defense-evasion | T1222 | File and Directory Permissions Modification | 16 | chattr - Remove immutable file attribute |
| 88 | defense-evasion | T1148 | HISTCONTROL | 1 | Disable history collection |
| 89 | defense-evasion | T1148 | HISTCONTROL | 2 | Mac HISTCONTROL |
| 90 | defense-evasion | T1158 | Hidden Files and Directories | 1 | Create a hidden file in a hidden directory |
| 91 | defense-evasion | T1070 | Indicator Removal on Host | 3 | rm -rf |
| 92 | defense-evasion | T1070 | Indicator Removal on Host | 4 | Overwrite Linux Mail Spool |
| 93 | defense-evasion | T1070 | Indicator Removal on Host | 5 | Overwrite Linux Log |
| 94 | defense-evasion | T1130 | Install Root Certificate | 1 | Install root CA on CentOS/RHEL |
| 95 | defense-evasion | T1036 | Masquerading | 2 | Masquerading as Linux crond process. |
| 96 | defense-evasion | T1027 | Obfuscated Files or Information | 1 | Decode base64 Data into Script |
| 97 | defense-evasion | T1055 | Process Injection | 2 | Shared Library Injection via /etc/ld.so.preload |
| 98 | defense-evasion | T1055 | Process Injection | 3 | Shared Library Injection via LD_PRELOAD |
| 99 | defense-evasion | T1014 | Rootkit | 1 | Loadable Kernel Module based Rootkit |
| 100 | defense-evasion | T1014 | Rootkit | 2 | Loadable Kernel Module based Rootkit |
| 101 | defense-evasion | T1064 | Scripting | 1 | Create and Execute Bash Shell Script |
| 102 | defense-evasion | T1099 | Timestomp | 1 | Set a file's access timestamp |
| 103 | defense-evasion | T1099 | Timestomp | 2 | Set a file's modification timestamp |
| 104 | defense-evasion | T1099 | Timestomp | 3 | Set a file's creation timestamp |
| 105 | defense-evasion | T1099 | Timestomp | 4 | Modify file timestamps using reference file |
| 106 | lateral-movement | T1105 | Remote File Copy | 1 | rsync remote file copy (push) |
| 107 | lateral-movement | T1105 | Remote File Copy | 2 | rsync remote file copy (pull) |
| 108 | lateral-movement | T1105 | Remote File Copy | 3 | scp remote file copy (push) |
| 109 | lateral-movement | T1105 | Remote File Copy | 4 | scp remote file copy (pull) |
| 110 | lateral-movement | T1105 | Remote File Copy | 5 | sftp remote file copy (push) |
| 111 | lateral-movement | T1105 | Remote File Copy | 6 | sftp remote file copy (pull) |
| 112 | collection | T1074 | Data Staged | 2 | Stage data from Discovery.sh |
| 113 | collection | T1113 | Screen Capture | 3 | X Windows Capture |
| 114 | collection | T1113 | Screen Capture | 4 | Import |
| 115 | exfiltration | T1002 | Data Compressed | 3 | Data Compressed - nix - zip |
| 116 | exfiltration | T1002 | Data Compressed | 4 | Data Compressed - nix - gzip Single File |
| 117 | exfiltration | T1002 | Data Compressed | 5 | Data Compressed - nix - tar Folder or File |
| 118 | exfiltration | T1022 | Data Encrypted | 1 | Data Encrypted with zip and gpg symmetric |
| 119 | exfiltration | T1030 | Data Transfer Size Limits | 1 | Data Transfer Size Limits |
| 120 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 1 | Exfiltration Over Alternative Protocol - SSH |
| 121 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 2 | Exfiltration Over Alternative Protocol - SSH |
| 122 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 3 | Exfiltration Over Alternative Protocol - HTTP |
| 123 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 5 | Exfiltration Over Alternative Protocol - DNS |
| 124 | execution | T1059 | Command-Line Interface | 1 | Command-Line Interface |
| 125 | execution | T1168 | Local Job Scheduling | 1 | Cron - Replace crontab with referenced file |
| 126 | execution | T1168 | Local Job Scheduling | 2 | Cron - Add script to cron folder |
| 127 | execution | T1168 | Local Job Scheduling | 3 | Event Monitor Daemon Persistence |
| 128 | execution | T1064 | Scripting | 1 | Create and Execute Bash Shell Script |
| 129 | execution | T1153 | Source | 1 | Execute Script using Source |
| 130 | execution | T1153 | Source | 2 | Execute Script using Source Alias |
| 131 | execution | T1154 | Trap | 1 | Trap |
| 132 | command-and-control | T1090 | Connection Proxy | 1 | Connection Proxy |
| 133 | command-and-control | T1132 | Data Encoding | 1 | Base64 Encoded data. |
| 134 | command-and-control | T1105 | Remote File Copy | 1 | rsync remote file copy (push) |
| 135 | command-and-control | T1105 | Remote File Copy | 2 | rsync remote file copy (pull) |
| 136 | command-and-control | T1105 | Remote File Copy | 3 | scp remote file copy (push) |
| 137 | command-and-control | T1105 | Remote File Copy | 4 | scp remote file copy (pull) |
| 138 | command-and-control | T1105 | Remote File Copy | 5 | sftp remote file copy (push) |
| 139 | command-and-control | T1105 | Remote File Copy | 6 | sftp remote file copy (pull) |
| 140 | command-and-control | T1071 | Standard Application Layer Protocol | 3 | Malicious User Agents - Nix |
| 141 | command-and-control | T1065 | Uncommonly Used Port | 2 | Testing usage of uncommonly used port |
| 142 | privilege-escalation | T1055 | Process Injection | 2 | Shared Library Injection via /etc/ld.so.preload |
| 143 | privilege-escalation | T1055 | Process Injection | 3 | Shared Library Injection via LD_PRELOAD |
| 144 | privilege-escalation | T1166 | Setuid and Setgid | 1 | Make and modify binary from C source |
| 145 | privilege-escalation | T1166 | Setuid and Setgid | 2 | Set a SetUID flag on file |
| 146 | privilege-escalation | T1166 | Setuid and Setgid | 3 | Set a SetGID flag on file |
| 147 | privilege-escalation | T1169 | Sudo | 1 | Sudo usage |
| 148 | privilege-escalation | T1206 | Sudo Caching | 1 | Unlimited sudo cache timeout |
| 149 | privilege-escalation | T1206 | Sudo Caching | 2 | Disable tty_tickets for sudo caching |