Skip to content

Commit

Permalink
deploy: 0ec33d6
Browse files Browse the repository at this point in the history
  • Loading branch information
cyberbuff committed Jan 11, 2024
1 parent 2ca9073 commit 178fd81
Show file tree
Hide file tree
Showing 2,022 changed files with 920,744 additions and 4,523,093 deletions.
2 changes: 1 addition & 1 deletion .buildinfo
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Sphinx build info version 1
# This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done.
config: 80cda6c4b5ae5c6142a3a909fbd51503
config: cb467325a4f577f5730e6fd72254b936
tags: 645f666f9bcd5a90fca523b33c5a78b7
6 changes: 3 additions & 3 deletions _sources/tactics.ipynb
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,21 @@
"cells": [
{
"cell_type": "markdown",
"id": "9d96ebdd",
"id": "c9ada3b6",
"metadata": {},
"source": "| ID | Name | Description |\n| -------- | --------- | --------- |\n| TA0001 | Initial Access | The adversary is trying to get into your network.|\n| TA0002 | Execution | The adversary is trying to run malicious code.|\n| TA0003 | Persistence | The adversary is trying to maintain their foothold.|\n| TA0004 | Privilege Escalation | The adversary is trying to gain higher-level permissions.|\n| TA0005 | Defense Evasion | The adversary is trying to avoid being detected.|\n| TA0006 | Credential Access | The adversary is trying to steal account names and passwords.|\n| TA0007 | Discovery | The adversary is trying to figure out your environment.|\n| TA0008 | Lateral Movement | The adversary is trying to move through your environment.|\n| TA0009 | Collection | The adversary is trying to gather data of interest to their goal.|\n| TA0010 | Exfiltration | The adversary is trying to steal data.|\n| TA0011 | Command and Control | The adversary is trying to communicate with compromised systems to control them.|\n| TA0040 | Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.|"
}
],
"metadata": {
"kernelspec": {
"display_name": ".NET (PowerShell)",
"language": "PowerShell",
"language": "pwsh",
"name": ".net-powershell"
},
"language_info": {
"file_extension": ".ps1",
"mimetype": "text/x-powershell",
"name": "PowerShell",
"name": "pwsh",
"pygments_lexer": "powershell",
"version": "7.0"
}
Expand Down
10 changes: 5 additions & 5 deletions _sources/tactics/collection.ipynb

Large diffs are not rendered by default.

98 changes: 89 additions & 9 deletions _sources/tactics/collection/T1005.ipynb
Original file line number Diff line number Diff line change
Expand Up @@ -2,39 +2,119 @@
"cells": [
{
"cell_type": "markdown",
"id": "36fe224e",
"id": "8decad8f",
"metadata": {},
"source": "# T1005 - Data from Local System\nAdversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n"
"source": "# T1005 - Data from Local System\nAdversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n"
},
{
"cell_type": "markdown",
"id": "6bedfa7a",
"id": "142d0798",
"metadata": {},
"source": "## Atomic Tests:\nCurrently, no tests are available for this technique."
"source": "## Atomic Tests"
},
{
"cell_type": "markdown",
"id": "1ce41692",
"id": "8553ba21",
"metadata": {},
"source": "## Detection\nMonitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
"source": [
"### Atomic Test #1 - Search files of interest and save them to a single zip file (Windows)",
"This test searches for files of certain extensions and saves them to a single zip file prior to extraction. \n",
"**Supported Platforms:** windows",
"\nElevation Required (e.g. root or admin)",
"#### Attack Commands: Run with `powershell`\n",
"```powershell\n$startingDirectory = \"C:\\Users\"\n$outputZip = \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1005\"\n$fileExtensionsString = \".doc, .docx, .txt\" \n$fileExtensions = $fileExtensionsString -split \", \"\n\nNew-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null\n\nFunction Search-Files {\n param (\n [string]$directory\n )\n $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {\n $fileExtensions -contains $_.Extension.ToLower()\n }\n return $files\n}\n\n$foundFiles = Search-Files -directory $startingDirectory\nif ($foundFiles.Count -gt 0) {\n $foundFilePaths = $foundFiles.FullName\n Compress-Archive -Path $foundFilePaths -DestinationPath \"$outputZip\\data.zip\"\n\n Write-Host \"Zip file created: $outputZip\\data.zip\"\n } else {\n Write-Host \"No files found with the specified extensions.\"\n }\n```"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "4db95418",
"metadata": {},
"outputs": [],
"source": "Invoke-AtomicTest T1005 -TestNumbers 1"
},
{
"cell_type": "markdown",
"id": "24edec4b",
"metadata": {},
"source": "#### Cleanup: \n```powershell\nRemove-Item -Path $outputZip\\data.zip -Force\n```"
},
{
"cell_type": "code",
"execution_count": null,
"id": "052a6d58",
"metadata": {},
"outputs": [],
"source": "Invoke-AtomicTest T1005 -TestNumbers 1 -Cleanup"
},
{
"cell_type": "markdown",
"id": "c2dc14b6",
"metadata": {},
"source": "### Atomic Test #2 - Find and dump sqlite databases (Linux)\nAn adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.\n\n**Supported Platforms:** linux\n\nElevation Required (e.g. root or admin)\n#### Dependencies: Run with `bash`!\n##### Description: Check if running on a Debian based machine.\n\n##### Check Prereq Commands:\n```bash\nif [ -x \"$(command -v sqlite3)\" ]; then echo \"sqlite3 is installed\"; else echo \"sqlite3 is NOT installed\"; exit 1; fi\nif [ -x \"$(command -v curl)\" ]; then echo \"curl is installed\"; else echo \"curl is NOT installed\"; exit 1; fi\nif [ -x \"$(command -v strings)\" ]; then echo \"strings is installed\"; else echo \"strings is NOT installed\"; exit 1; fi\n\n```\n##### Get Prereq Commands:\n```bash\nif grep -iq \"debian\\|ubuntu\\|kali\\|mint\" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi\nif grep -iq \"rhel\\|fedora\\|centos\" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi\n\n```"
},
{
"cell_type": "code",
"execution_count": null,
"id": "24a2a915",
"metadata": {},
"outputs": [],
"source": "Invoke-AtomicTest T1005 -TestNumbers 2 -GetPreReqs"
},
{
"cell_type": "markdown",
"id": "f4695018",
"metadata": {},
"source": [
"#### Attack Commands: Run with `bash`\n",
"```bash\ncd $HOME\ncurl -O https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src/art\ncurl -O https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src/gta.db\ncurl -O https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src/sqlite_dump.sh\nchmod +x sqlite_dump.sh\nfind . ! -executable -exec bash -c 'if [[ \"$(head -c 15 {} | strings)\" == \"SQLite format 3\" ]]; then echo \"{}\"; ./sqlite_dump.sh {}; fi' \\;\n```"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "d44bfbb6",
"metadata": {},
"outputs": [],
"source": "Invoke-AtomicTest T1005 -TestNumbers 2"
},
{
"cell_type": "markdown",
"id": "974dacc7",
"metadata": {},
"source": "#### Cleanup: \n```bash\nrm -f $HOME/.art\nrm -f $HOME/gta.db\nrm -f $HOME/sqlite_dump.sh \n```"
},
{
"cell_type": "code",
"execution_count": null,
"id": "57b87ee6",
"metadata": {},
"outputs": [],
"source": "Invoke-AtomicTest T1005 -TestNumbers 2 -Cleanup"
},
{
"cell_type": "markdown",
"id": "c29cabe5",
"metadata": {},
"source": "## Detection\nMonitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nFor network infrastructure devices, collect AAA logging to monitor `show` commands that view configuration files. "
},
{
"cell_type": "markdown",
"id": "433eb407",
"id": "88a5e206",
"metadata": {},
"source": "\n## Shield Active Defense\n### Pocket Litter \n Place data on a system to reinforce the legitimacy of the system or user. \n\n Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).\n#### Opportunity\nIn an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content.\n#### Use Case\nA defender can stage a variety of pocket litter files to bolster the legitimacy of the local system.\n#### Procedures\nWhen staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.\nStage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.\n"
}
],
"metadata": {
"kernelspec": {
"display_name": ".NET (PowerShell)",
"language": "PowerShell",
"language": "pwsh",
"name": ".net-powershell"
},
"language_info": {
"file_extension": ".ps1",
"mimetype": "text/x-powershell",
"name": "PowerShell",
"name": "pwsh",
"pygments_lexer": "powershell",
"version": "7.0"
}
Expand Down
12 changes: 6 additions & 6 deletions _sources/tactics/collection/T1025.ipynb
Original file line number Diff line number Diff line change
Expand Up @@ -2,39 +2,39 @@
"cells": [
{
"cell_type": "markdown",
"id": "7e328d76",
"id": "c3a59dd9",
"metadata": {},
"source": "# T1025 - Data from Removable Media\nAdversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media."
},
{
"cell_type": "markdown",
"id": "9c87d6a7",
"id": "f98e3b02",
"metadata": {},
"source": "## Atomic Tests:\nCurrently, no tests are available for this technique."
},
{
"cell_type": "markdown",
"id": "9b363b5b",
"id": "e253568b",
"metadata": {},
"source": "## Detection\nMonitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
},
{
"cell_type": "markdown",
"id": "01c17807",
"id": "9fdbdaf3",
"metadata": {},
"source": "\n## Shield Active Defense\n### Pocket Litter \n Place data on a system to reinforce the legitimacy of the system or user. \n\n Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).\n#### Opportunity\nIn an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment.\n#### Use Case\nA defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.\n#### Procedures\nWhen staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.\nStage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.\n"
}
],
"metadata": {
"kernelspec": {
"display_name": ".NET (PowerShell)",
"language": "PowerShell",
"language": "pwsh",
"name": ".net-powershell"
},
"language_info": {
"file_extension": ".ps1",
"mimetype": "text/x-powershell",
"name": "PowerShell",
"name": "pwsh",
"pygments_lexer": "powershell",
"version": "7.0"
}
Expand Down
Loading

0 comments on commit 178fd81

Please sign in to comment.