Revert "Change status of old rules"
This commit is contained in:
frack113
@@ -1,13 +1,12 @@
|
||||
title: Powershell Create Scheduled Task
|
||||
id: 363eccc0-279a-4ccf-a3ab-24c2e63b11fb
|
||||
status: test
|
||||
status: experimental
|
||||
description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
|
||||
author: frack113
|
||||
date: 2021/12/28
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1053.005
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Registry-Free Process Scope COR_PROFILER
|
||||
id: 23590215-4702-4a70-8805-8dc9e58314a2
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.
|
||||
The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).
|
||||
@@ -11,7 +11,6 @@ references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
|
||||
author: frack113
|
||||
date: 2021/12/30
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1574.012
|
||||
|
||||
@@ -1,13 +1,12 @@
|
||||
title: Create Volume Shadow Copy with Powershell
|
||||
id: afd12fed-b0ec-45c9-a13d-aa86625dac81
|
||||
status: test
|
||||
status: experimental
|
||||
description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
|
||||
references:
|
||||
- https://attack.mitre.org/datasources/DS0005/
|
||||
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
|
||||
author: frack113
|
||||
date: 2022/01/12
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1003.003
|
||||
|
||||
+1
-2
@@ -1,6 +1,6 @@
|
||||
title: Manipulation of User Computer or Group Security Principals Across AD
|
||||
id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
Adversaries may create a domain account to maintain access to victim systems.
|
||||
Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
|
||||
@@ -9,7 +9,6 @@ references:
|
||||
- https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0
|
||||
author: frack113
|
||||
date: 2021/12/28
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1136.002
|
||||
|
||||
@@ -1,13 +1,12 @@
|
||||
title: Enable Windows Remote Management
|
||||
id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
|
||||
status: test
|
||||
status: experimental
|
||||
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
|
||||
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
|
||||
author: frack113
|
||||
date: 2022/01/07
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.006
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Service Registry Permissions Weakness Check
|
||||
id: 95afc12e-3cbb-40c3-9340-84a032e596a3
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
|
||||
Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
|
||||
@@ -10,7 +10,6 @@ references:
|
||||
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2
|
||||
author: frack113
|
||||
date: 2021/12/30
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1574.011
|
||||
|
||||
@@ -1,13 +1,12 @@
|
||||
title: Execute Invoke-command on Remote Host
|
||||
id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
|
||||
status: test
|
||||
status: experimental
|
||||
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
|
||||
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2
|
||||
author: frack113
|
||||
date: 2022/01/07
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.006
|
||||
|
||||
@@ -1,13 +1,12 @@
|
||||
title: Powershell DNSExfiltration
|
||||
id: d59d7842-9a21-4bc6-ba98-64bfe0091355
|
||||
status: test
|
||||
status: experimental
|
||||
description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
|
||||
- https://github.com/Arno0x/DNSExfiltrator
|
||||
author: frack113
|
||||
date: 2022/01/07
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.exfiltration
|
||||
- attack.t1048
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Powershell LocalAccount Manipulation
|
||||
id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
Adversaries may manipulate accounts to maintain access to victim systems.
|
||||
Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
|
||||
@@ -9,7 +9,6 @@ references:
|
||||
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
|
||||
author: frack113
|
||||
date: 2021/12/28
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1098
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Code Executed Via Office Add-in XLL File
|
||||
id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
|
||||
Office add-ins can be used to add functionality to Office programs
|
||||
@@ -8,7 +8,6 @@ references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
|
||||
author: frack113
|
||||
date: 2021/12/28
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1137.006
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Request A Single Ticket via PowerShell
|
||||
id: a861d835-af37-4930-bcd6-5b178bfb54df
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
|
||||
This behavior is typically used during a kerberos or silver ticket attack.
|
||||
@@ -9,7 +9,6 @@ references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
|
||||
author: frack113
|
||||
date: 2021/12/28
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1558.003
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Powershell Execute Batch Script
|
||||
id: b5522a23-82da-44e5-9c8b-e10ed8955f88
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
Adversaries may abuse the Windows command shell for execution.
|
||||
The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
|
||||
@@ -11,7 +11,6 @@ references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
|
||||
author: frack113
|
||||
date: 2022/01/02
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.003
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Suspicious Connection to Remote Account
|
||||
id: 1883444f-084b-419b-ac62-e0d0c5b3693f
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
|
||||
Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
|
||||
@@ -8,7 +8,6 @@ references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
|
||||
author: frack113
|
||||
date: 2021/12/27
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1110.001
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Remove Account From Domain Admin Group
|
||||
id: 48a45d45-8112-416b-8a67-46e03a4b2107
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
|
||||
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
|
||||
@@ -8,7 +8,6 @@ references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
|
||||
author: frack113
|
||||
date: 2021/12/26
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.impact
|
||||
- attack.t1531
|
||||
|
||||
@@ -1,13 +1,12 @@
|
||||
title: Suspicious SSL Connection
|
||||
id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078
|
||||
status: test
|
||||
status: experimental
|
||||
description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2
|
||||
- https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
|
||||
author: frack113
|
||||
date: 2022/01/23
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.command_and_control
|
||||
- attack.t1573
|
||||
|
||||
@@ -1,13 +1,12 @@
|
||||
title: Suspicious Start-Process PassThru
|
||||
id: 0718cd72-f316-4aa2-988f-838ea8533277
|
||||
status: test
|
||||
status: experimental
|
||||
description: Powershell use PassThru option to start in background
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md
|
||||
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
|
||||
author: frack113
|
||||
date: 2022/01/15
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1036.003
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Replace Desktop Wallpaper by Powershell
|
||||
id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
|
||||
This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
|
||||
@@ -8,7 +8,6 @@ references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
|
||||
author: frack113
|
||||
date: 2021/12/26
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.impact
|
||||
- attack.t1491.001
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Testing Usage of Uncommonly Used Port
|
||||
id: adf876b3-f1f8-4aa9-a4e4-a64106feec06
|
||||
status: test
|
||||
status: experimental
|
||||
description: |
|
||||
Adversaries may communicate using a protocol and port paring that are typically not associated.
|
||||
For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
|
||||
@@ -9,7 +9,6 @@ references:
|
||||
- https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
|
||||
author: frack113
|
||||
date: 2022/01/23
|
||||
modified: 2023/01/25
|
||||
tags:
|
||||
- attack.command_and_control
|
||||
- attack.t1571
|
||||
|
||||
Reference in New Issue
Block a user