Atomic Red Team doc generator
5.9 KiB
5.9 KiB
| 1 | Tactic | Technique # | Technique Name | Test # | Test Name | Test GUID | Executor Name |
|---|---|---|---|---|---|---|---|
| 2 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 46 | AWS - GuardDuty Suspension or Deletion | 11e65d8d-e7e4-470e-a3ff-82bc56ad938e | bash |
| 3 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 1 | AWS - CloudTrail Changes | 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e | sh |
| 4 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 2 | Azure - Eventhub Deletion | 5e09bed0-7d33-453b-9bf3-caea32bff719 | powershell |
| 5 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 4 | AWS - Disable CloudTrail Logging Through Event Selectors using Stratus | a27418de-bdce-4ebd-b655-38f11142bf0c | sh |
| 6 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 6 | AWS - Remove VPC Flow Logs using Stratus | 93c150f5-ad7b-4ee3-8992-df06dec2ac79 | sh |
| 7 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 7 | AWS - CloudWatch Log Group Deletes | 89422c87-b57b-4a04-a8ca-802bb9d06121 | sh |
| 8 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 8 | AWS CloudWatch Log Stream Deletes | 33ca84bc-4259-4943-bd36-4655dc420932 | sh |
| 9 | defense-evasion | T1562.008 | Impair Defenses: Disable Cloud Logs | 10 | GCP - Delete Activity Event Log | d56152ec-01d9-42a2-877c-aac1f6ebe8e6 | sh |
| 10 | defense-evasion | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 11 | defense-evasion | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 12 | defense-evasion | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 13 | credential-access | T1552.005 | Unsecured Credentials: Cloud Instance Metadata API | 2 | Azure - Dump Azure Instance Metadata from Virtual Machines | cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7 | powershell |
| 14 | credential-access | T1552 | Unsecured Credentials | 1 | AWS - Retrieve EC2 Password Data using stratus | a21118de-b11e-4ebd-b655-42f11142df0c | sh |
| 15 | credential-access | T1110.003 | Brute Force: Password Spraying | 9 | AWS - Password Spray an AWS using GoAWSConsoleSpray | 9c10d16b-20b1-403a-8e67-50ef7117ed4e | sh |
| 16 | impact | T1485 | Data Destruction | 4 | GCP - Delete Bucket | 4ac71389-40f4-448a-b73f-754346b3f928 | sh |
| 17 | discovery | T1580 | Cloud Infrastructure Discovery | 1 | AWS - EC2 Enumeration from Cloud Instance | 99ee161b-dcb1-4276-8ecb-7cfdcb207820 | sh |
| 18 | discovery | T1619 | Cloud Storage Object Discovery | 1 | AWS S3 Enumeration | 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 | sh |
| 19 | discovery | T1201 | Password Policy Discovery | 12 | Examine AWS Password Policy | 15330820-d405-450b-bd08-16b5be5be9f4 | sh |
| 20 | discovery | T1526 | Cloud Service Discovery | 1 | Azure - Dump Subscription Data with MicroBurst | 1e40bb1d-195e-401e-a86b-c192f55e005c | powershell |
| 21 | persistence | T1098.001 | Account Manipulation: Additional Cloud Credentials | 3 | AWS - Create Access Key and Secret Key | 8822c3b0-d9f9-4daf-a043-491160a31122 | sh |
| 22 | persistence | T1136.003 | Create Account: Cloud Account | 1 | AWS - Create a new IAM user | 8d1c2368-b503-40c9-9057-8e42f21c58ad | sh |
| 23 | persistence | T1098 | Account Manipulation | 3 | AWS - Create a group and add a user to that group | 8822c3b0-d9f9-4daf-a043-49f110a31122 | sh |
| 24 | persistence | T1098 | Account Manipulation | 6 | Azure - adding user to Azure role in subscription | 1a94b3fc-b080-450a-b3d8-6d9b57b472ea | powershell |
| 25 | persistence | T1098 | Account Manipulation | 7 | Azure - adding service principal to Azure role in subscription | c8f4bc29-a151-48da-b3be-4680af56f404 | powershell |
| 26 | persistence | T1098 | Account Manipulation | 17 | GCP - Delete Service Account Key | 7ece1dea-49f1-4d62-bdcc-5801e3292510 | sh |
| 27 | persistence | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 28 | persistence | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 29 | persistence | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 30 | privilege-escalation | T1098.001 | Account Manipulation: Additional Cloud Credentials | 3 | AWS - Create Access Key and Secret Key | 8822c3b0-d9f9-4daf-a043-491160a31122 | sh |
| 31 | privilege-escalation | T1098 | Account Manipulation | 3 | AWS - Create a group and add a user to that group | 8822c3b0-d9f9-4daf-a043-49f110a31122 | sh |
| 32 | privilege-escalation | T1098 | Account Manipulation | 6 | Azure - adding user to Azure role in subscription | 1a94b3fc-b080-450a-b3d8-6d9b57b472ea | powershell |
| 33 | privilege-escalation | T1098 | Account Manipulation | 7 | Azure - adding service principal to Azure role in subscription | c8f4bc29-a151-48da-b3be-4680af56f404 | powershell |
| 34 | privilege-escalation | T1098 | Account Manipulation | 17 | GCP - Delete Service Account Key | 7ece1dea-49f1-4d62-bdcc-5801e3292510 | sh |
| 35 | privilege-escalation | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 36 | privilege-escalation | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 37 | privilege-escalation | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |
| 38 | collection | T1530 | Data from Cloud Storage Object | 1 | Azure - Enumerate Azure Blobs with MicroBurst | 3dab4bcc-667f-4459-aea7-4162dd2d6590 | powershell |
| 39 | collection | T1530 | Data from Cloud Storage Object | 2 | Azure - Scan for Anonymous Access to Azure Storage (Powershell) | 146af1f1-b74e-4aa7-9895-505eb559b4b0 | powershell |
| 40 | collection | T1530 | Data from Cloud Storage Object | 3 | AWS - Scan for Anonymous Access to S3 | 979356b9-b588-4e49-bba4-c35517c484f5 | sh |
| 41 | initial-access | T1078.004 | Valid Accounts: Cloud Accounts | 1 | Creating GCP Service Account and Service Account Key | 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e | sh |
| 42 | initial-access | T1078.004 | Valid Accounts: Cloud Accounts | 2 | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | powershell |
| 43 | initial-access | T1078.004 | Valid Accounts: Cloud Accounts | 3 | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | sh |