Carrie Roberts
24549e3866
* Initial transfer of atomics to MITRE subtechniques * Add GUIDs back in, attack_technique to string (#1019) * technique to string and add guids back in * technique to string and add guids back in * technique to string and add guids back in * technique to string and add guids back in * Subtechnique transfer T1220-T1546.005 (#1020) * Create T1222.001.yaml * Create T1222.002.yaml * Create T1505.002.yaml * Update T1543.003.yaml * Update AtomicService.cs * Update T1546.005.yaml * Delete T1222.yaml * Update T1482.yaml * Update T1485.yaml * Update T1220.yaml * Update T1489.yaml * Update T1490.yaml * Update T1496.yaml * Update T1505.003.yaml * Update T1505.yaml * Update T1518.001.yaml * Update T1518.yaml * Update T1529.yaml * Update T1543.004.yaml * Update T1546.001.yaml * Update T1546.002.yaml * Update T1546.002.yaml * Update T1546.001.yaml * Update T1543.004.yaml * Update T1543.002.yaml * Update T1543.001.yaml * Update T1518.001.yaml * Update T1546.004.yaml * Update T1546.003.yaml * Update T1531.yaml * Update T1222.001.yaml * Update T1222.002.yaml * Update T1505.002.yaml * Update T1505.003.yaml * Update T1518.001.yaml * Update T1543.001.yaml * Update T1546.005.yaml * Update T1546.004.yaml * Update T1546.003.yaml * Update T1546.002.yaml * Update T1546.001.yaml * Update T1543.004.yaml * Update T1543.003.yaml * Update T1543.002.yaml * added auto_generated_guid 1220 * added T1222.001 auto_generated_guid * Update T1222.002.yaml added auto_generated_guid entries * Update T1482.yaml auto_generated_guid added * Update T1485.yaml added auto_generated_guids * Update T1489.yaml added auto_generated_guids * Update T1490.yaml added auto_generated_guids * Update T1496.yaml added auto_generated_guid * Update T1505.002.yaml added auto_generated_guid from old T1505 same atomic * Update T1505.003.yaml added auto_generated_guid from previous atomic 1100 * Delete T1505.yaml no longer needed, moved to 1505.002 * Update T1518.yaml added auto_generated_guids * Update T1529.yaml added auto_generated_guids * Update T1531.yaml added auto_generated_guids * Update T1543.001.yaml added auto_generated_guid * Update T1543.002.yaml added auto_generated_guid * Update T1543.004.yaml added auto_generated_guid * Update T1546.001.yaml added auto_generated_guid * Update T1546.002.yaml added auto_generated_guid * Update T1546.003.yaml * Update T1546.004.yaml added auto_generated_guid * Update T1546.005.yaml added auto_generated_guid * add guids back in * fix spacing issue * fix spacing * fix spacing Co-authored-by: Carrie Roberts <clr2of8@gmail.com> * Sub-techniques T1053-T1113 - Updates (#1022) * Sub-techniques T1053-T1113 - Updates Updated techniques for sub-techniques. * minor fixes format fixing * Added GUIDs - Added GUIDs back - Fixed typo (T1054) - Fixed attack_technique from an array to a string * Sub-technique updates T1546.008 through T1574.011 (#1024) * sub technique updates * sub technique updates * sub technique updates * Carrie updates (#1017) * updated T1110,12,13 * updated T1114 * updated T1114 * updated T1115 * updated T1119 * updated T1123,24 * updated T1127 * updated T1114 * updated T1127 * updated T1132 * T1134.004 * T1134.004 * updated T1135 * updated T1136 * updated T1137 * updated T1140 * remove depracted T1153 * updated T1176 * updated T1197 * updated T1201 * updated T1202 * updated T1204 * updated T1207 * updated T1216 * updated T1204 * updated T1217 * updated T1218 * updated T1218 * updated T1219 * updated T1218 * attack_technique to string * Subtechnique transfer (#1025) * T1003 review * T1005 manual review changes * T1027.002 sub-technique review * T1027.004 sub-technique review * T1036 sub-technique review * T1037 sub-technique review * T1048 sub-technique review * YAML bugfixes * Adding auto-generated GUIDs back to tests * merging with Mike's PR * Merging with Carrie's PR * fix spacing Co-authored-by: Carrie Roberts <clr2of8@gmail.com> * Subtechnique fix (#1026) * add atomic_tests: element * add atomic_tests: element * more fixes * more fixes * more fixes * sub technique minor fixes 1 (#1027) * fixes * fixes * more fixes * more fixes * display name fix (#1028) * remove some deprecated stuff. reorganize a little (#1031) * Gendocs fix (#1033) * gendocs updates for subtechniques * add folders * ignore auto generated markdown files * remove tmp files * add tmp files * Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer * navigator layer v3.0 * Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com> Co-authored-by: Tsora-Pop <35981510+Tsora-Pop@users.noreply.github.com> Co-authored-by: Michael Haag <mike@redcanary.com> Co-authored-by: CircleCI Atomic Red Team doc generator <email>
26 KiB
26 KiB
Linux Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Cloud Accounts CONTRIBUTE A TEST | At (Linux) CONTRIBUTE A TEST | .bash_profile and .bashrc | .bash_profile and .bashrc | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | /etc/passwd and /etc/shadow CONTRIBUTE A TEST | Account Discovery CONTRIBUTE A TEST | Application Access Token CONTRIBUTE A TEST | Archive Collected Data CONTRIBUTE A TEST | Automated Exfiltration CONTRIBUTE A TEST | Application Layer Protocol CONTRIBUTE A TEST | Account Access Removal CONTRIBUTE A TEST |
| Compromise Hardware Supply Chain CONTRIBUTE A TEST | Bash | Account Manipulation CONTRIBUTE A TEST | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | Application Access Token CONTRIBUTE A TEST | Bash History | Browser Bookmark Discovery | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Data Transfer Size Limits | Asymmetric Cryptography CONTRIBUTE A TEST | Application Exhaustion Flood CONTRIBUTE A TEST |
| Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | At (Linux) CONTRIBUTE A TEST | Binary Padding | Brute Force CONTRIBUTE A TEST | Cloud Account CONTRIBUTE A TEST | Internal Spearphishing CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST |
| Compromise Software Supply Chain CONTRIBUTE A TEST | Cron | Add-ins CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Bootkit CONTRIBUTE A TEST | Cloud Instance Metadata API CONTRIBUTE A TEST | Cloud Groups CONTRIBUTE A TEST | Lateral Tool Transfer CONTRIBUTE A TEST | Archive via Utility | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Communication Through Removable Media CONTRIBUTE A TEST | Data Destruction |
| Default Accounts CONTRIBUTE A TEST | Exploitation for Client Execution CONTRIBUTE A TEST | Additional Azure Service Principal Credentials CONTRIBUTE A TEST | Cloud Accounts CONTRIBUTE A TEST | Clear Command History | Credential Stuffing CONTRIBUTE A TEST | Cloud Service Dashboard CONTRIBUTE A TEST | Remote Service Session Hijacking CONTRIBUTE A TEST | Audio Capture CONTRIBUTE A TEST | Exfiltration Over Bluetooth CONTRIBUTE A TEST | DNS CONTRIBUTE A TEST | Data Encrypted for Impact CONTRIBUTE A TEST |
| Domain Accounts CONTRIBUTE A TEST | Graphical User Interface CONTRIBUTE A TEST | At (Linux) CONTRIBUTE A TEST | Create or Modify System Process CONTRIBUTE A TEST | Clear Linux or Mac System Logs | Credentials In Files | Cloud Service Discovery CONTRIBUTE A TEST | Remote Services CONTRIBUTE A TEST | Automated Collection CONTRIBUTE A TEST | Exfiltration Over C2 Channel CONTRIBUTE A TEST | DNS Calculation CONTRIBUTE A TEST | Data Manipulation CONTRIBUTE A TEST |
| Drive-by Compromise CONTRIBUTE A TEST | Malicious File CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Cron | Cloud Accounts CONTRIBUTE A TEST | Credentials from Password Stores CONTRIBUTE A TEST | Domain Account CONTRIBUTE A TEST | SSH CONTRIBUTE A TEST | Clipboard Data CONTRIBUTE A TEST | Exfiltration Over Other Network Medium CONTRIBUTE A TEST | Data Encoding CONTRIBUTE A TEST | Defacement CONTRIBUTE A TEST |
| Exploit Public-Facing Application CONTRIBUTE A TEST | Malicious Link CONTRIBUTE A TEST | Bootkit CONTRIBUTE A TEST | Default Accounts CONTRIBUTE A TEST | Compile After Delivery CONTRIBUTE A TEST | Credentials from Web Browsers CONTRIBUTE A TEST | Domain Groups CONTRIBUTE A TEST | SSH Hijacking CONTRIBUTE A TEST | Confluence CONTRIBUTE A TEST | Exfiltration Over Physical Medium CONTRIBUTE A TEST | Data Obfuscation CONTRIBUTE A TEST | Direct Network Flood CONTRIBUTE A TEST |
| Hardware Additions CONTRIBUTE A TEST | Python CONTRIBUTE A TEST | Browser Extensions | Domain Accounts CONTRIBUTE A TEST | Default Accounts CONTRIBUTE A TEST | Exploitation for Credential Access CONTRIBUTE A TEST | Email Account CONTRIBUTE A TEST | Software Deployment Tools CONTRIBUTE A TEST | Data Staged CONTRIBUTE A TEST | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Dead Drop Resolver CONTRIBUTE A TEST | Disk Content Wipe CONTRIBUTE A TEST |
| Local Accounts CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Cloud Account CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Disable or Modify System Firewall | Input Capture CONTRIBUTE A TEST | File and Directory Discovery | Use Alternate Authentication Material CONTRIBUTE A TEST | Data from Cloud Storage Object CONTRIBUTE A TEST | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Domain Fronting CONTRIBUTE A TEST | Disk Structure Wipe CONTRIBUTE A TEST |
| Phishing CONTRIBUTE A TEST | Scripting CONTRIBUTE A TEST | Cloud Accounts CONTRIBUTE A TEST | Exploitation for Privilege Escalation CONTRIBUTE A TEST | Disable or Modify Tools | Keylogging CONTRIBUTE A TEST | Local Account | VNC CONTRIBUTE A TEST | Data from Information Repositories CONTRIBUTE A TEST | Exfiltration Over Web Service CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | Disk Wipe CONTRIBUTE A TEST |
| Spearphishing Attachment CONTRIBUTE A TEST | Software Deployment Tools CONTRIBUTE A TEST | Compromise Client Software Binary CONTRIBUTE A TEST | Hijack Execution Flow CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | Man-in-the-Middle CONTRIBUTE A TEST | Local Groups | Web Session Cookie CONTRIBUTE A TEST | Data from Local System CONTRIBUTE A TEST | Exfiltration over USB CONTRIBUTE A TEST | Dynamic Resolution CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST |
| Spearphishing Link CONTRIBUTE A TEST | Source CONTRIBUTE A TEST | Create Account CONTRIBUTE A TEST | Kernel Modules and Extensions | Execution Guardrails CONTRIBUTE A TEST | Network Sniffing | Network Service Scanning | Data from Network Shared Drive CONTRIBUTE A TEST | Exfiltration to Cloud Storage CONTRIBUTE A TEST | Encrypted Channel CONTRIBUTE A TEST | External Defacement CONTRIBUTE A TEST | |
| Spearphishing via Service CONTRIBUTE A TEST | User Execution CONTRIBUTE A TEST | Create or Modify System Process CONTRIBUTE A TEST | LD_PRELOAD | Exploitation for Defense Evasion CONTRIBUTE A TEST | OS Credential Dumping CONTRIBUTE A TEST | Network Share Discovery | Data from Removable Media CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | External Proxy CONTRIBUTE A TEST | Firmware Corruption CONTRIBUTE A TEST | |
| Supply Chain Compromise CONTRIBUTE A TEST | Cron | Local Accounts CONTRIBUTE A TEST | File Deletion | Password Cracking CONTRIBUTE A TEST | Network Sniffing | Email Collection CONTRIBUTE A TEST | Scheduled Transfer CONTRIBUTE A TEST | Fallback Channels CONTRIBUTE A TEST | Inhibit System Recovery CONTRIBUTE A TEST | ||
| Trusted Relationship CONTRIBUTE A TEST | Default Accounts CONTRIBUTE A TEST | Proc Memory CONTRIBUTE A TEST | File and Directory Permissions Modification CONTRIBUTE A TEST | Password Guessing CONTRIBUTE A TEST | Password Policy Discovery | Email Forwarding Rule CONTRIBUTE A TEST | Transfer Data to Cloud Account CONTRIBUTE A TEST | Fast Flux DNS CONTRIBUTE A TEST | Internal Defacement CONTRIBUTE A TEST | ||
| Valid Accounts CONTRIBUTE A TEST | Domain Account CONTRIBUTE A TEST | Process Injection CONTRIBUTE A TEST | HISTCONTROL | Password Spraying CONTRIBUTE A TEST | Permission Groups Discovery CONTRIBUTE A TEST | Input Capture CONTRIBUTE A TEST | File Transfer Protocols CONTRIBUTE A TEST | Network Denial of Service CONTRIBUTE A TEST | |||
| Domain Accounts CONTRIBUTE A TEST | Ptrace System Calls CONTRIBUTE A TEST | Hidden Files and Directories | Private Keys | Process Discovery | Keylogging CONTRIBUTE A TEST | Ingress Tool Transfer | OS Exhaustion Flood CONTRIBUTE A TEST | ||||
| Event Triggered Execution CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Hide Artifacts CONTRIBUTE A TEST | Proc Filesystem CONTRIBUTE A TEST | Remote System Discovery | Local Data Staging | Internal Proxy | Reflection Amplification CONTRIBUTE A TEST | ||||
| Exchange Email Delegate Permissions CONTRIBUTE A TEST | Setuid and Setgid | Hijack Execution Flow CONTRIBUTE A TEST | Securityd Memory CONTRIBUTE A TEST | Security Software Discovery | Man-in-the-Middle CONTRIBUTE A TEST | Junk Data CONTRIBUTE A TEST | Resource Hijacking | ||||
| Hijack Execution Flow CONTRIBUTE A TEST | Sudo and Sudo Caching | Impair Defenses CONTRIBUTE A TEST | Steal Application Access Token CONTRIBUTE A TEST | Software Discovery CONTRIBUTE A TEST | Remote Data Staging CONTRIBUTE A TEST | Mail Protocols CONTRIBUTE A TEST | Runtime Data Manipulation CONTRIBUTE A TEST | ||||
| Implant Container Image CONTRIBUTE A TEST | Systemd Service | Indicator Removal from Tools CONTRIBUTE A TEST | Steal Web Session Cookie CONTRIBUTE A TEST | System Information Discovery | Remote Email Collection CONTRIBUTE A TEST | Multi-Stage Channels CONTRIBUTE A TEST | Service Exhaustion Flood CONTRIBUTE A TEST | ||||
| Kernel Modules and Extensions | Trap | Indicator Removal on Host CONTRIBUTE A TEST | Two-Factor Authentication Interception CONTRIBUTE A TEST | System Network Configuration Discovery | Screen Capture | Multi-hop Proxy CONTRIBUTE A TEST | Stored Data Manipulation CONTRIBUTE A TEST | ||||
| LD_PRELOAD | VDSO Hijacking CONTRIBUTE A TEST | Install Root Certificate | Unsecured Credentials CONTRIBUTE A TEST | System Network Connections Discovery | Sharepoint CONTRIBUTE A TEST | Multiband Communication CONTRIBUTE A TEST | System Shutdown/Reboot | ||||
| Local Account | Valid Accounts CONTRIBUTE A TEST | LD_PRELOAD | Web Portal Capture CONTRIBUTE A TEST | System Owner/User Discovery | Web Portal Capture CONTRIBUTE A TEST | Non-Application Layer Protocol CONTRIBUTE A TEST | Transmitted Data Manipulation CONTRIBUTE A TEST | ||||
| Local Accounts CONTRIBUTE A TEST | Linux and Mac File and Directory Permissions Modification | Non-Standard Encoding CONTRIBUTE A TEST | |||||||||
| Office Application Startup CONTRIBUTE A TEST | Local Accounts CONTRIBUTE A TEST | Non-Standard Port | |||||||||
| Office Template Macros CONTRIBUTE A TEST | Masquerade Task or Service CONTRIBUTE A TEST | One-Way Communication CONTRIBUTE A TEST | |||||||||
| Office Test CONTRIBUTE A TEST | Masquerading CONTRIBUTE A TEST | Port Knocking CONTRIBUTE A TEST | |||||||||
| Outlook Forms CONTRIBUTE A TEST | Match Legitimate Name or Location CONTRIBUTE A TEST | Protocol Impersonation CONTRIBUTE A TEST | |||||||||
| Outlook Home Page CONTRIBUTE A TEST | Obfuscated Files or Information | Protocol Tunneling CONTRIBUTE A TEST | |||||||||
| Outlook Rules CONTRIBUTE A TEST | Port Knocking CONTRIBUTE A TEST | Proxy CONTRIBUTE A TEST | |||||||||
| Port Knocking CONTRIBUTE A TEST | Pre-OS Boot CONTRIBUTE A TEST | Remote Access Software CONTRIBUTE A TEST | |||||||||
| Pre-OS Boot CONTRIBUTE A TEST | Proc Memory CONTRIBUTE A TEST | Standard Encoding | |||||||||
| Redundant Access CONTRIBUTE A TEST | Process Injection CONTRIBUTE A TEST | Steganography CONTRIBUTE A TEST | |||||||||
| SQL Stored Procedures CONTRIBUTE A TEST | Ptrace System Calls CONTRIBUTE A TEST | Symmetric Cryptography CONTRIBUTE A TEST | |||||||||
| Scheduled Task/Job CONTRIBUTE A TEST | Redundant Access CONTRIBUTE A TEST | Traffic Signaling CONTRIBUTE A TEST | |||||||||
| Server Software Component CONTRIBUTE A TEST | Rename System Utilities | Web Protocols | |||||||||
| Systemd Service | Revert Cloud Instance CONTRIBUTE A TEST | Web Service CONTRIBUTE A TEST | |||||||||
| Traffic Signaling CONTRIBUTE A TEST | Right-to-Left Override CONTRIBUTE A TEST | ||||||||||
| Transport Agent CONTRIBUTE A TEST | Rootkit | ||||||||||
| Trap | Scripting CONTRIBUTE A TEST | ||||||||||
| Valid Accounts CONTRIBUTE A TEST | Setuid and Setgid | ||||||||||
| Web Shell CONTRIBUTE A TEST | Space after Filename CONTRIBUTE A TEST | ||||||||||
| Steganography CONTRIBUTE A TEST | |||||||||||
| Subvert Trust Controls CONTRIBUTE A TEST | |||||||||||
| Sudo and Sudo Caching | |||||||||||
| System Checks CONTRIBUTE A TEST | |||||||||||
| Time Based Evasion CONTRIBUTE A TEST | |||||||||||
| Timestomp | |||||||||||
| Traffic Signaling CONTRIBUTE A TEST | |||||||||||
| Unused/Unsupported Cloud Regions CONTRIBUTE A TEST | |||||||||||
| Use Alternate Authentication Material CONTRIBUTE A TEST | |||||||||||
| User Activity Based Checks CONTRIBUTE A TEST | |||||||||||
| VDSO Hijacking CONTRIBUTE A TEST | |||||||||||
| Valid Accounts CONTRIBUTE A TEST | |||||||||||
| Virtualization/Sandbox Evasion CONTRIBUTE A TEST | |||||||||||
| Web Session Cookie CONTRIBUTE A TEST |