Atomic Red Team doc generator
844 lines
69 KiB
Markdown
844 lines
69 KiB
Markdown
# Linux Atomic Tests by ATT&CK Tactic & Technique
|
|
# defense-evasion
|
|
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
|
|
- Atomic Test #1: Malicious PAM rule [linux]
|
|
- Atomic Test #2: Malicious PAM rule (freebsd) [linux]
|
|
- Atomic Test #3: Malicious PAM module [linux]
|
|
- [T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
|
|
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos]
|
|
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos]
|
|
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos]
|
|
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos]
|
|
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
|
|
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
|
|
- Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos]
|
|
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
|
|
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
|
|
- Atomic Test #10: chflags - Remove immutable file attribute [linux]
|
|
- Atomic Test #11: Chmod through c script [macos, linux]
|
|
- Atomic Test #12: Chmod through c script (freebsd) [linux]
|
|
- Atomic Test #13: Chown through c script [macos, linux]
|
|
- Atomic Test #14: Chown through c script (freebsd) [linux]
|
|
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1014 Rootkit](../../T1014/T1014.md)
|
|
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
|
|
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
|
|
- Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
|
|
- Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
|
|
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
|
|
- Atomic Test #1: Sudo usage [macos, linux]
|
|
- Atomic Test #2: Sudo usage (freebsd) [linux]
|
|
- Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
|
|
- Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux]
|
|
- Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
|
|
- Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
|
|
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
|
|
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
|
|
- T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
|
|
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
|
|
- Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
|
|
- [T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md)
|
|
- Atomic Test #1: rm -rf [macos, linux]
|
|
- Atomic Test #2: rm -rf [linux]
|
|
- Atomic Test #5: Truncate system log files via truncate utility (freebsd) [linux]
|
|
- Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) [linux]
|
|
- Atomic Test #10: Overwrite FreeBSD system log via echo utility [linux]
|
|
- Atomic Test #13: Delete system log files via unlink utility (freebsd) [linux]
|
|
- Atomic Test #18: Delete system journal logs via rm and journalctl utilities [linux]
|
|
- Atomic Test #19: Overwrite Linux Mail Spool [linux]
|
|
- Atomic Test #20: Overwrite Linux Log [linux]
|
|
- T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1036.009 Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
|
|
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
|
|
- Atomic Test #2: Clear Bash history (echo) [linux]
|
|
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
|
|
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
|
|
- Atomic Test #5: Clear Bash history (truncate) [linux]
|
|
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
|
|
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
|
|
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
|
|
- Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
|
|
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
|
|
- Atomic Test #3: Base64 decoding with Python [linux, macos]
|
|
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
|
|
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
|
|
- Atomic Test #6: Base64 decoding with shell utilities (freebsd) [linux]
|
|
- Atomic Test #7: FreeBSD b64encode Shebang in CLI [linux]
|
|
- Atomic Test #8: Hex decoding with shell utilities [linux, macos]
|
|
- Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
|
|
- Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
|
|
- [T1562 Impair Defenses](../../T1562/T1562.md)
|
|
- Atomic Test #2: Disable journal logging via systemctl utility [linux]
|
|
- Atomic Test #3: Disable journal logging via sed utility [linux]
|
|
- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1070.008 Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md)
|
|
- Atomic Test #2: Copy and Delete Mailbox Data on Linux [linux]
|
|
- Atomic Test #5: Copy and Modify Mailbox Data on Linux [linux]
|
|
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
|
|
- Atomic Test #1: Set a file's access timestamp [linux, macos]
|
|
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
|
|
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
|
|
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
|
|
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1564.011 Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1562.004 Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
|
|
- Atomic Test #7: Stop/Start UFW firewall [linux]
|
|
- Atomic Test #8: Stop/Start Packet Filter [linux]
|
|
- Atomic Test #9: Stop/Start UFW firewall systemctl [linux]
|
|
- Atomic Test #10: Turn off UFW logging [linux]
|
|
- Atomic Test #11: Add and delete UFW firewall rules [linux]
|
|
- Atomic Test #12: Add and delete Packet Filter rules [linux]
|
|
- Atomic Test #13: Edit UFW firewall user.rules file [linux]
|
|
- Atomic Test #14: Edit UFW firewall ufw.conf file [linux]
|
|
- Atomic Test #15: Edit UFW firewall sysctl.conf file [linux]
|
|
- Atomic Test #16: Edit UFW firewall main configuration file [linux]
|
|
- Atomic Test #17: Tail the UFW firewall log file [linux]
|
|
- Atomic Test #18: Disable iptables [linux]
|
|
- Atomic Test #19: Modify/delete iptables firewall rules [linux]
|
|
- T1562.012 Disable or Modify Linux Audit System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
|
|
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos]
|
|
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos]
|
|
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
|
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
|
|
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
|
|
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
|
|
- Atomic Test #1: Make and modify binary from C source [macos, linux]
|
|
- Atomic Test #2: Make and modify binary from C source (freebsd) [linux]
|
|
- Atomic Test #3: Set a SetUID flag on file [macos, linux]
|
|
- Atomic Test #4: Set a SetUID flag on file (freebsd) [linux]
|
|
- Atomic Test #5: Set a SetGID flag on file [macos, linux]
|
|
- Atomic Test #6: Set a SetGID flag on file (freebsd) [linux]
|
|
- Atomic Test #7: Make and modify capabilities of a binary [linux]
|
|
- Atomic Test #8: Provide the SetUID capability to a file [linux]
|
|
- Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux]
|
|
- Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux]
|
|
- [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
|
|
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
|
|
- Atomic Test #2: Auditing Configuration Changes on FreeBSD Host [linux]
|
|
- Atomic Test #3: Logging Configuration Changes on Linux Host [linux]
|
|
- Atomic Test #4: Logging Configuration Changes on FreeBSD Host [linux]
|
|
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
|
|
- Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
|
|
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1562.010 Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md)
|
|
- Atomic Test #1: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI [linux]
|
|
- Atomic Test #2: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI [linux]
|
|
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
|
|
- Atomic Test #1: Disable history collection [linux, macos]
|
|
- Atomic Test #2: Disable history collection (freebsd) [linux]
|
|
- Atomic Test #3: Mac HISTCONTROL [macos, linux]
|
|
- Atomic Test #4: Clear bash history [linux]
|
|
- Atomic Test #5: Setting the HISTCONTROL environment variable [linux]
|
|
- Atomic Test #6: Setting the HISTFILESIZE environment variable [linux]
|
|
- Atomic Test #7: Setting the HISTSIZE environment variable [linux]
|
|
- Atomic Test #8: Setting the HISTFILE environment variable [linux]
|
|
- Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux]
|
|
- Atomic Test #10: Setting the HISTIGNORE environment variable [linux]
|
|
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
|
|
- Atomic Test #1: Disable syslog [linux]
|
|
- Atomic Test #2: Disable syslog (freebsd) [linux]
|
|
- Atomic Test #3: Disable Cb Response [linux]
|
|
- Atomic Test #4: Disable SELinux [linux]
|
|
- Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux]
|
|
- Atomic Test #39: Clear History [linux]
|
|
- Atomic Test #40: Suspend History [linux]
|
|
- Atomic Test #41: Reboot Linux Host via Kernel System Request [linux]
|
|
- Atomic Test #42: Clear Pagging Cache [linux]
|
|
- Atomic Test #43: Disable Memory Swap [linux]
|
|
- Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
|
|
- Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI [linux]
|
|
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
|
|
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
|
|
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md)
|
|
- Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [linux]
|
|
- T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
|
|
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
|
|
- Atomic Test #2: Install root CA on FreeBSD [linux]
|
|
- Atomic Test #3: Install root CA on Debian/Ubuntu [linux]
|
|
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
|
|
- Atomic Test #3: C compile [linux, macos]
|
|
- Atomic Test #4: CC compile [linux, macos]
|
|
- Atomic Test #5: Go compile [linux, macos]
|
|
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1656 Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
|
|
- Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos]
|
|
- Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos]
|
|
- Atomic Test #3: Overwrite and delete a file with shred [linux]
|
|
- Atomic Test #8: Delete Filesystem - Linux [linux]
|
|
- [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
|
|
- Atomic Test #1: Binary simply packed by UPX (linux) [linux]
|
|
- Atomic Test #2: Binary packed by UPX, with modified headers (linux) [linux]
|
|
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
|
|
- Atomic Test #2: Space After Filename [macos, linux]
|
|
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
|
|
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
|
|
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
|
|
- Atomic Test #8: Create local account (Linux) [linux]
|
|
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
|
|
- Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
|
|
- Atomic Test #11: Login as nobody (Linux) [linux]
|
|
- Atomic Test #12: Login as nobody (freebsd) [linux]
|
|
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
|
|
# persistence
|
|
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
|
|
- Atomic Test #1: Malicious PAM rule [linux]
|
|
- Atomic Test #2: Malicious PAM rule (freebsd) [linux]
|
|
- Atomic Test #3: Malicious PAM module [linux]
|
|
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
|
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
|
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
|
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
|
|
- Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
|
|
- T1505.002 Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1176 Browser Extensions](../../T1176/T1176.md)
|
|
- Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
|
|
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
|
|
- Atomic Test #3: Firefox [linux, windows, macos]
|
|
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
|
|
- Atomic Test #1: Trap EXIT [macos, linux]
|
|
- Atomic Test #2: Trap EXIT (freebsd) [linux]
|
|
- Atomic Test #3: Trap SIGINT [macos, linux]
|
|
- Atomic Test #4: Trap SIGINT (freebsd) [linux]
|
|
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
|
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
|
|
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
|
|
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
|
|
- Atomic Test #1: Create a user account on a Linux system [linux]
|
|
- Atomic Test #2: Create a user account on a FreeBSD system [linux]
|
|
- Atomic Test #6: Create a new user in Linux with `root` UID and GID. [linux]
|
|
- Atomic Test #7: Create a new user in FreeBSD with `root` GID. [linux]
|
|
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
|
|
- Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
|
|
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
|
|
- Atomic Test #4: Active Directory Create Admin Account [linux]
|
|
- Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
|
|
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
|
|
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
|
|
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
|
|
- Atomic Test #1: Create Systemd Service and Timer [linux]
|
|
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
|
|
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
|
|
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
|
|
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
|
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
|
- Atomic Test #3: Add command to .shrc [linux]
|
|
- Atomic Test #4: Append to the system shell profile [linux]
|
|
- Atomic Test #5: Append commands user shell profile [linux]
|
|
- Atomic Test #6: System shell profile scripts [linux]
|
|
- Atomic Test #7: Create/Append to .bash_logout [linux]
|
|
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
|
|
- Atomic Test #2: rc.common [linux]
|
|
- Atomic Test #3: rc.local [linux]
|
|
- [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md)
|
|
- Atomic Test #1: Create Systemd Service [linux]
|
|
- Atomic Test #2: Create SysV Service [linux]
|
|
- Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
|
|
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1653 Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
|
- Atomic Test #2: At - Schedule a job [linux]
|
|
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
|
|
- Atomic Test #8: Create local account (Linux) [linux]
|
|
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
|
|
- Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
|
|
- Atomic Test #11: Login as nobody (Linux) [linux]
|
|
- Atomic Test #12: Login as nobody (freebsd) [linux]
|
|
|
|
# command-and-control
|
|
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
|
|
- Atomic Test #1: Base64 Encoded data. [macos, linux]
|
|
- Atomic Test #2: Base64 Encoded data (freebsd) [linux]
|
|
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
|
|
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu/FreeBSD [linux]
|
|
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1571 Non-Standard Port](../../T1571/T1571.md)
|
|
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
|
|
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
|
|
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
|
|
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
|
|
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
|
|
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
|
|
- Atomic Test #3: scp remote file copy (push) [linux, macos]
|
|
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
|
|
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
|
|
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
|
|
- Atomic Test #14: whois file download [linux, macos]
|
|
- Atomic Test #27: Linux Download File and Run [linux]
|
|
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
|
|
- Atomic Test #1: Connection Proxy [linux, macos]
|
|
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
|
|
# collection
|
|
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
|
|
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
|
|
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
|
|
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
|
|
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos]
|
|
- Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
|
|
- [T1113 Screen Capture](../../T1113/T1113.md)
|
|
- Atomic Test #3: X Windows Capture [linux]
|
|
- Atomic Test #4: X Windows Capture (freebsd) [linux]
|
|
- Atomic Test #5: Capture Linux Desktop using Import Tool [linux]
|
|
- Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd) [linux]
|
|
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
|
|
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
|
|
- Atomic Test #3: Logging bash history to syslog [linux]
|
|
- Atomic Test #4: Logging sh history to syslog/messages [linux]
|
|
- Atomic Test #5: Bash session based keylogger [linux]
|
|
- Atomic Test #6: SSHD PAM keylogger [linux]
|
|
- Atomic Test #7: Auditd keylogger [linux]
|
|
- T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
|
|
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
|
|
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1115 Clipboard Data](../../T1115/T1115.md)
|
|
- Atomic Test #5: Add or copy content to clipboard with xClip [linux]
|
|
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1005 Data from Local System](../../T1005/T1005.md)
|
|
- Atomic Test #2: Find and dump sqlite databases (Linux) [linux]
|
|
- [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md)
|
|
- Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [linux]
|
|
- Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [linux]
|
|
- Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [linux]
|
|
- Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [linux]
|
|
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
|
|
# lateral-movement
|
|
- T1021.005 Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1021.004 Remote Services: SSH](../../T1021.004/T1021.004.md)
|
|
- Atomic Test #1: ESXi - Enable SSH via PowerCLI [linux]
|
|
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
|
|
# privilege-escalation
|
|
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
|
|
- Atomic Test #1: Sudo usage [macos, linux]
|
|
- Atomic Test #2: Sudo usage (freebsd) [linux]
|
|
- Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
|
|
- Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux]
|
|
- Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
|
|
- Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
|
|
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
|
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
|
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
|
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
|
|
- Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
|
|
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
|
|
- Atomic Test #1: Trap EXIT [macos, linux]
|
|
- Atomic Test #2: Trap EXIT (freebsd) [linux]
|
|
- Atomic Test #3: Trap SIGINT [macos, linux]
|
|
- Atomic Test #4: Trap SIGINT (freebsd) [linux]
|
|
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
|
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
|
|
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
|
|
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
|
|
- Atomic Test #1: Make and modify binary from C source [macos, linux]
|
|
- Atomic Test #2: Make and modify binary from C source (freebsd) [linux]
|
|
- Atomic Test #3: Set a SetUID flag on file [macos, linux]
|
|
- Atomic Test #4: Set a SetUID flag on file (freebsd) [linux]
|
|
- Atomic Test #5: Set a SetGID flag on file [macos, linux]
|
|
- Atomic Test #6: Set a SetGID flag on file (freebsd) [linux]
|
|
- Atomic Test #7: Make and modify capabilities of a binary [linux]
|
|
- Atomic Test #8: Provide the SetUID capability to a file [linux]
|
|
- Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux]
|
|
- Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux]
|
|
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
|
|
- Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
|
|
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
|
|
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
|
|
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
|
|
- Atomic Test #1: Create Systemd Service and Timer [linux]
|
|
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
|
|
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
|
|
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
|
|
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
|
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
|
- Atomic Test #3: Add command to .shrc [linux]
|
|
- Atomic Test #4: Append to the system shell profile [linux]
|
|
- Atomic Test #5: Append commands user shell profile [linux]
|
|
- Atomic Test #6: System shell profile scripts [linux]
|
|
- Atomic Test #7: Create/Append to .bash_logout [linux]
|
|
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
|
|
- Atomic Test #2: rc.common [linux]
|
|
- Atomic Test #3: rc.local [linux]
|
|
- [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md)
|
|
- Atomic Test #1: Create Systemd Service [linux]
|
|
- Atomic Test #2: Create SysV Service [linux]
|
|
- Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
|
|
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
|
- Atomic Test #2: At - Schedule a job [linux]
|
|
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
|
|
- Atomic Test #8: Create local account (Linux) [linux]
|
|
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
|
|
- Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
|
|
- Atomic Test #11: Login as nobody (Linux) [linux]
|
|
- Atomic Test #12: Login as nobody (freebsd) [linux]
|
|
|
|
# credential-access
|
|
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
|
|
- Atomic Test #1: Malicious PAM rule [linux]
|
|
- Atomic Test #2: Malicious PAM rule (freebsd) [linux]
|
|
- Atomic Test #3: Malicious PAM module [linux]
|
|
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
|
|
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
|
|
- Atomic Test #3: Logging bash history to syslog [linux]
|
|
- Atomic Test #4: Logging sh history to syslog/messages [linux]
|
|
- Atomic Test #5: Bash session based keylogger [linux]
|
|
- Atomic Test #6: SSHD PAM keylogger [linux]
|
|
- Atomic Test #7: Auditd keylogger [linux]
|
|
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
|
|
- Atomic Test #5: SUDO Brute Force - Debian [linux]
|
|
- Atomic Test #6: SUDO Brute Force - Redhat [linux]
|
|
- Atomic Test #7: SUDO Brute Force - FreeBSD [linux]
|
|
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1003.007 OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md)
|
|
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
|
|
- Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local) [linux]
|
|
- Atomic Test #3: Dump individual process memory with Python (Local) [linux]
|
|
- Atomic Test #4: Capture Passwords with MimiPenguin [linux]
|
|
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
|
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
|
|
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
|
|
- Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
|
- Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
|
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
|
|
- Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
|
|
- Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
|
|
- Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
|
|
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
|
|
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
|
|
- [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
|
|
- Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
|
|
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
|
|
- Atomic Test #2: Discover Private SSH Keys [linux, macos]
|
|
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
|
|
- Atomic Test #4: Copy Private SSH Keys with CP (freebsd) [linux]
|
|
- Atomic Test #5: Copy Private SSH Keys with rsync [macos, linux]
|
|
- Atomic Test #6: Copy Private SSH Keys with rsync (freebsd) [linux]
|
|
- Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux]
|
|
- Atomic Test #8: Copy the users GnuPG directory with rsync (freebsd) [linux]
|
|
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
|
|
- Atomic Test #1: Search Through Bash History [linux, macos]
|
|
- Atomic Test #2: Search Through sh History [linux]
|
|
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
|
- Atomic Test #1: Find AWS credentials [macos, linux]
|
|
- Atomic Test #3: Extract passwords with grep [linux, macos]
|
|
- Atomic Test #6: Find and Access Github Credentials [linux, macos]
|
|
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
|
|
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
|
|
- Atomic Test #3: SSH Credential Stuffing From FreeBSD [linux]
|
|
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md)
|
|
- Atomic Test #1: Access /etc/shadow (Local) [linux]
|
|
- Atomic Test #2: Access /etc/master.passwd (Local) [linux]
|
|
- Atomic Test #3: Access /etc/passwd (Local) [linux]
|
|
- Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat [linux]
|
|
- Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [linux]
|
|
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
|
|
# discovery
|
|
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
|
|
- Atomic Test #2: System Owner/User Discovery [linux, macos]
|
|
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
|
|
- Atomic Test #23: Active Directory Domain Search [linux]
|
|
- Atomic Test #24: Account Enumeration with LDAPDomainDump [linux]
|
|
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
|
|
- Atomic Test #1: Enumerate all accounts (Local) [linux]
|
|
- Atomic Test #2: View sudoers access [linux, macos]
|
|
- Atomic Test #3: View accounts with UID 0 [linux, macos]
|
|
- Atomic Test #4: List opened files by user [linux, macos]
|
|
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
|
|
- Atomic Test #6: Enumerate users and groups [linux, macos]
|
|
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
|
|
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
|
|
- Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
|
|
- [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md)
|
|
- Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
|
|
- [T1007 System Service Discovery](../../T1007/T1007.md)
|
|
- Atomic Test #3: System Service Discovery - systemctl/service [linux]
|
|
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
|
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
|
|
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
|
|
- Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
|
- Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
|
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
|
|
- Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
|
|
- Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
|
|
- Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
|
|
- [T1135 Network Share Discovery](../../T1135/T1135.md)
|
|
- Atomic Test #2: Network Share Discovery - linux [linux]
|
|
- Atomic Test #3: Network Share Discovery - FreeBSD [linux]
|
|
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1082 System Information Discovery](../../T1082/T1082.md)
|
|
- Atomic Test #3: List OS Information [linux, macos]
|
|
- Atomic Test #4: Linux VM Check via Hardware [linux]
|
|
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
|
|
- Atomic Test #6: FreeBSD VM Check via Kernel Modules [linux]
|
|
- Atomic Test #8: Hostname Discovery [linux, macos]
|
|
- Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos]
|
|
- Atomic Test #25: Linux List Kernel Modules [linux]
|
|
- Atomic Test #26: FreeBSD List Kernel Modules [linux]
|
|
- Atomic Test #32: ESXi - VM Discovery using ESXCLI [linux]
|
|
- Atomic Test #33: ESXi - Darkside system information discovery [linux]
|
|
- T1016.002 Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
|
|
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [linux]
|
|
- Atomic Test #4: List Google Chromium Bookmark JSON Files on FreeBSD [linux]
|
|
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
|
|
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
|
|
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
|
|
- Atomic Test #3: Nix File and Directory Discovery [linux, macos]
|
|
- Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
|
|
- Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [linux]
|
|
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
|
|
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
|
|
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1654 Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1057 Process Discovery](../../T1057/T1057.md)
|
|
- Atomic Test #1: Process Discovery - ps [linux, macos]
|
|
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
|
|
- Atomic Test #1: Permission Groups Discovery (Local) [linux, macos]
|
|
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
|
|
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
|
|
- Atomic Test #2: Examine password complexity policy - FreeBSD [linux]
|
|
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 7.x [linux]
|
|
- Atomic Test #4: Examine password complexity policy - CentOS/RHEL 6.x [linux]
|
|
- Atomic Test #5: Examine password expiration policy - All Linux [linux]
|
|
- [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
|
|
- Atomic Test #3: Discover System Language with locale [linux]
|
|
- Atomic Test #4: Discover System Language with localectl [linux]
|
|
- Atomic Test #5: Discover System Language by locale file [linux]
|
|
- Atomic Test #6: Discover System Language by Environment Variable Query [linux]
|
|
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
|
|
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
|
|
- Atomic Test #5: Security Software Discovery - pgrep (FreeBSD) [linux]
|
|
- [T1018 Remote System Discovery](../../T1018/T1018.md)
|
|
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
|
|
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
|
|
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
|
|
- Atomic Test #13: Remote System Discovery - ip route [linux]
|
|
- Atomic Test #14: Remote System Discovery - netstat [linux]
|
|
- Atomic Test #15: Remote System Discovery - ip tcp_metrics [linux]
|
|
- [T1046 Network Service Discovery](../../T1046/T1046.md)
|
|
- Atomic Test #1: Port Scan [linux, macos]
|
|
- Atomic Test #2: Port Scan Nmap [linux, macos]
|
|
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
|
|
# execution
|
|
- T1129 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
|
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
|
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
|
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
|
|
- Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
|
|
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
|
|
- Atomic Test #1: Create Systemd Service and Timer [linux]
|
|
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
|
|
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
|
|
- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
|
|
- Atomic Test #1: Create and Execute Bash Shell Script [linux, macos]
|
|
- Atomic Test #2: Command-Line Interface [linux, macos]
|
|
- Atomic Test #3: Harvest SUID executable files [linux]
|
|
- Atomic Test #4: LinEnum tool execution [linux]
|
|
- Atomic Test #5: New script file in the tmp directory [linux]
|
|
- Atomic Test #6: What shell is running [linux]
|
|
- Atomic Test #7: What shells are available [linux]
|
|
- Atomic Test #8: Command line scripts [linux]
|
|
- Atomic Test #9: Obfuscated command line scripts [linux]
|
|
- Atomic Test #10: Change login shell [linux]
|
|
- Atomic Test #11: Environment variable scripts [linux]
|
|
- Atomic Test #12: Detecting pipe-to-shell [linux]
|
|
- Atomic Test #13: Current kernel information enumeration [linux]
|
|
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
|
|
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
|
|
- Atomic Test #2: Execute Python via scripts [linux]
|
|
- Atomic Test #3: Execute Python via Python executables [linux]
|
|
- Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
|
|
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
|
- Atomic Test #2: At - Schedule a job [linux]
|
|
|
|
# impact
|
|
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1489 Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1657 Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1491.001 Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1531 Account Access Removal](../../T1531/T1531.md)
|
|
- Atomic Test #4: Change User Password via passwd [macos, linux]
|
|
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
|
|
- Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [linux]
|
|
- Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [linux]
|
|
- Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [linux]
|
|
- Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [linux]
|
|
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1496 Resource Hijacking](../../T1496/T1496.md)
|
|
- Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos]
|
|
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1485 Data Destruction](../../T1485/T1485.md)
|
|
- Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [linux, macos]
|
|
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
|
|
- Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [linux, macos]
|
|
- Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [linux, macos]
|
|
- Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [linux, macos]
|
|
- Atomic Test #6: Shutdown System via `halt` - FreeBSD/Linux [linux]
|
|
- Atomic Test #7: Reboot System via `halt` - FreeBSD [linux]
|
|
- Atomic Test #8: Reboot System via `halt` - Linux [linux]
|
|
- Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [linux]
|
|
- Atomic Test #10: Reboot System via `poweroff` - FreeBSD [linux]
|
|
- Atomic Test #11: Reboot System via `poweroff` - Linux [linux]
|
|
- Atomic Test #13: ESXi - Terminates VMs using pkill [linux]
|
|
- Atomic Test #14: ESXi - Avoslocker enumerates VMs and forcefully kills VMs [linux]
|
|
|
|
# initial-access
|
|
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1566.001 Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
|
|
- Atomic Test #8: Create local account (Linux) [linux]
|
|
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
|
|
- Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
|
|
- Atomic Test #11: Login as nobody (Linux) [linux]
|
|
- Atomic Test #12: Login as nobody (freebsd) [linux]
|
|
|
|
# exfiltration
|
|
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1567.004 Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
|
|
- Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux]
|
|
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
|
|
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
|
|
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
|
|
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
|
|
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
|
|
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
|
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
|
|
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
|
|
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
|
|
- Atomic Test #8: Python3 http.server [linux]
|
|
|