Keith McCammon
e1181e7384
* Tests added * standardize display name * Add tests for T1134.001 Access Token Impersonation/Theft (#1236) * Generate docs from job=validate_atomics_generate_docs branch=oscd * Changing to device manufacturer based test * Generate docs from job=validate_atomics_generate_docs branch=oscd * Add test for T1006 Direct Volume Access (#1254) * Generate docs from job=validate_atomics_generate_docs branch=oscd * [OSCD] T1036.004: Masquerade Task or Service - 2 tests (#1253) * T1036.004 - 2 tests added * Update T1036.004.yaml Co-authored-by: Carrie Roberts <clr2of8@gmail.com> * Generate docs from job=validate_atomics_generate_docs branch=oscd * T1136.002 - 2 tests added (#1252) * Generate docs from job=validate_atomics_generate_docs branch=oscd * [OSCD] Create atomic test for T1113 for Windows (#1251) * Generate docs from job=validate_atomics_generate_docs branch=oscd * update T1564.002 * update T1564.002 * add Gatekeeper disable; add cleanup for security tools disable; add another launchagent for carbon black defense; remove Gatekeeper disable command from Gatekeeper bypass technique * Added T1562.006 tests to emulate indicator blocking by modifying configuration files * Removed prereq and fixed command endings * Indirect command execution - conhost (#1265) * Generate docs from job=validate_atomics_generate_docs branch=oscd * [OSCD] Office persiststence : Office test (#1266) * Office persiststence : Office test * Added technique details * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Remove index files to avoid CI complaints. * Grr * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd Co-authored-by: haresudhan <code@0x6c.dev> Co-authored-by: Carrie Roberts <clr2of8@gmail.com> Co-authored-by: gregclermont <580609+gregclermont@users.noreply.github.com> Co-authored-by: CircleCI Atomic Red Team doc generator <email> Co-authored-by: Carl <57147304+rc-grey@users.noreply.github.com> Co-authored-by: mrblacyk <kweinzettl@gmail.com> Co-authored-by: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com> Co-authored-by: Yugoslavskiy Daniil <yugoslavskiy@gmail.com> Co-authored-by: aw350m3 <aw350m3@yandex.com> Co-authored-by: omkargudhate22 <36105402+omkar72@users.noreply.github.com>
2.0 KiB
2.0 KiB
T1006 - Direct Volume Access
Description from ATT&CK
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)
Atomic Tests
Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)
This test uses PowerShell to open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
On success, a hex dump of the first 11 bytes of the volume is displayed.
For a NTFS volume, it should correspond to the following sequence (NTFS partition boot sector):
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS
Supported Platforms: Windows
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| volume | Drive letter of the volume to access | string | C: |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
$buffer = New-Object byte[] 11
$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
$handle.Read($buffer, 0, $buffer.Length)
$handle.Close()
Format-Hex -InputObject $buffer