security-tools/atomic-red-team

Files

T

caseysmithrc 515da8e9dc yamilze

2018-05-24 07:59:56 -06:00

18 KiB

Raw Blame History

macOS Atomic Tests by ATT&CK Tactic & Technique

persistence

T1156 .bash_profile and .bashrc
T1176 Browser Extensions
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
T1136 Create Account
- Atomic Test #2: Create a user account on a MacOS system [macos]
T1157 Dylib Hijacking
T1158 Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
T1215 Kernel Modules and Extensions
T1161 LC_LOAD_DYLIB Addition
T1159 Launch Agent
T1160 Launch Daemon
T1152 Launchctl
T1168 Local Job Scheduling
T1162 Login Item
T1037 Logon Scripts
T1150 Plist Modification
T1205 Port Knocking
T1163 Rc.common
T1164 Re-opened Applications
T1108 Redundant Access
T1165 Startup Items
T1154 Trap
T1078 Valid Accounts
T1100 Web Shell

discovery

T1087 Account Discovery
- Atomic Test #1: List all accounts [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logger in remotely [linux, macos]
T1010 Application Window Discovery
T1217 Browser Bookmark Discovery
T1083 File and Directory Discovery
T1046 Network Service Scanning
- Atomic Test #1: Scan a bunch of ports to see if they are open [linux, macos]
T1135 Network Share Discovery
T1201 Password Policy Discovery
T1069 Permission Groups Discovery
T1057 Process Discovery
T1018 Remote System Discovery
T1063 Security Software Discovery
T1082 System Information Discovery
T1016 System Network Configuration Discovery
T1049 System Network Connections Discovery
T1033 System Owner/User Discovery

execution

lateral-movement

T1155 AppleScript
T1017 Application Deployment Software
T1210 Exploitation of Remote Services
T1037 Logon Scripts
T1105 Remote File Copy
- Atomic Test #1: xxxx [linux, macos]
T1021 Remote Services
T1184 SSH Hijacking
T1072 Third-party Software

collection

T1123 Audio Capture
T1119 Automated Collection
T1115 Clipboard Data
T1074 Data Staged
T1213 Data from Information Repositories
T1005 Data from Local System
T1039 Data from Network Shared Drive
T1025 Data from Removable Media
T1056 Input Capture
T1113 Screen Capture
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
T1125 Video Capture

exfiltration

credential-access

T1139 Bash History
- Atomic Test #1: xxxx [linux, macos]
T1110 Brute Force
T1081 Credentials in Files
T1212 Exploitation for Credential Access
T1056 Input Capture
T1141 Input Prompt
T1142 Keychain
T1040 Network Sniffing
T1145 Private Keys
T1167 Securityd Memory
T1111 Two-Factor Authentication Interception

defense-evasion

T1009 Binary Padding
T1146 Clear Command History
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
T1116 Code Signing
T1089 Disabling Security Tools
T1211 Exploitation for Defense Evasion
T1107 File Deletion
T1144 Gatekeeper Bypass
T1148 HISTCONTROL
T1158 Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
T1147 Hidden Users
T1143 Hidden Window
T1066 Indicator Removal from Tools
T1070 Indicator Removal on Host
T1130 Install Root Certificate
T1149 LC_MAIN Hijacking
T1152 Launchctl
T1036 Masquerading
T1027 Obfuscated Files or Information
T1150 Plist Modification
T1205 Port Knocking
T1055 Process Injection
T1108 Redundant Access
T1014 Rootkit
T1064 Scripting
T1151 Space after Filename
T1078 Valid Accounts
T1102 Web Service

command-and-control

initial-access

privilege-escalation