Skip to content

Commit

Permalink
deploy: 1097c27
Browse files Browse the repository at this point in the history
  • Loading branch information
cyberbuff committed Feb 26, 2023
1 parent a5ddd8f commit 3ea82d4
Show file tree
Hide file tree
Showing 1,824 changed files with 3,464,181 additions and 874,163 deletions.
2 changes: 1 addition & 1 deletion .buildinfo
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Sphinx build info version 1
# This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done.
config: f79d09b7988ef56058ee2a6464a6ee80
config: 80cda6c4b5ae5c6142a3a909fbd51503
tags: 645f666f9bcd5a90fca523b33c5a78b7

This file was deleted.

This file was deleted.

4 changes: 2 additions & 2 deletions _sources/intro.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Welcome to the Atomic Playbook
============================

The Atomic Playbook contains TTPs from the MITRE ATT&CK framework mapped to the tests in the Atomic Red Team. It serves as a single resource to know about the tests, it's execution, detection and defense techniques from [MITRE Shield](shield.mitre.org).
The Atomic Playbook contains TTPs from the MITRE ATT&CK framework mapped to the tests in the Atomic Red Team. It serves as a single resource to know about the tests, it's execution, detection and defense techniques from [MITRE Shield](shield.mitre.org).

Note: Shield mapping to subtechniques is yet to be done.

Expand All @@ -14,4 +14,4 @@ To install the above requirements, checkout
To install the above requirements, checkout
- [Atomic Red Team Installation](https://github.com/redcanaryco/invoke-atomicredteam/wiki/Installing-Atomic-Red-Team)
- [ATTACK-Python-Client Installation](https://github.com/hunters-forge/ATTACK-Python-Client)
- [Jupyter for Powershell](https://github.com/dotnet/interactive/blob/master/docs/NotebooksLocalExperience.md)
- [Jupyter for Powershell](https://github.com/dotnet/interactive/blob/master/docs/NotebooksLocalExperience.md)
2 changes: 1 addition & 1 deletion _sources/tactics.ipynb
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"| ID | Name | Description |\n| -------- | --------- | --------- |\n| TA0001 | Initial Access | The adversary is trying to get into your network.|\n| TA0002 | Execution | The adversary is trying to run malicious code.|\n| TA0003 | Persistence | The adversary is trying to maintain their foothold.|\n| TA0004 | Privilege Escalation | The adversary is trying to gain higher-level permissions.|\n| TA0005 | Defense Evasion | The adversary is trying to avoid being detected.|\n| TA0006 | Credential Access | The adversary is trying to steal account names and passwords.|\n| TA0007 | Discovery | The adversary is trying to figure out your environment.|\n| TA0008 | Lateral Movement | The adversary is trying to move through your environment.|\n| TA0009 | Collection | The adversary is trying to gather data of interest to their goal.|\n| TA0010 | Exfiltration | The adversary is trying to steal data.|\n| TA0011 | Command and Control | The adversary is trying to communicate with compromised systems to control them.|\n| TA0040 | Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.|"
"| ID | Name | Description |\n| -------- | --------- | --------- |\n| TA0001 | Initial Access | The adversary is trying to get into your network.|\n| TA0002 | Execution | The adversary is trying to run malicious code.|\n| TA0003 | Persistence | The adversary is trying to maintain their foothold.|\n| TA0004 | Privilege Escalation | The adversary is trying to gain higher-level permissions.|\n| TA0005 | Defense Evasion | The adversary is trying to avoid being detected.|\n| TA0006 | Credential Access | The adversary is trying to steal account names and passwords.|\n| TA0007 | Discovery | The adversary is trying to figure out your environment.|\n| TA0008 | Lateral Movement | The adversary is trying to move through your environment.|\n| TA0009 | Collection | The adversary is trying to gather data of interest to their goal.|\n| TA0010 | Exfiltration | The adversary is trying to steal data.|\n| TA0011 | Command and Control | The adversary is trying to communicate with compromised systems to control them.|\n| TA0040 | Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data.|\n| TA0042 | Resource Development | The adversary is trying to establish resources they can use to support operations.|\n| TA0043 | Reconnaissance | The adversary is trying to gather information they can use to plan future operations.|"
]
}
],
Expand Down
4 changes: 2 additions & 2 deletions _sources/tactics/collection.ipynb

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions _sources/tactics/collection/T1005.ipynb
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"source": [
"# T1005 - Data from Local System",
"\n",
"Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n"
"Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n"
]
},
{
Expand All @@ -22,7 +22,7 @@
"source": [
"## Detection",
"\n",
"Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
"Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
]
},
{
Expand Down
66 changes: 65 additions & 1 deletion _sources/tactics/collection/T1039.ipynb
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,71 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"## Atomic Tests:\nCurrently, no tests are available for this technique."
"## Atomic Tests"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Atomic Test #1 - Copy a sensitive File over Administive share with copy\nCopy from sensitive File from the c$ of another LAN computer with copy cmd\nhttps://twitter.com/SBousseaden/status/1211636381086339073\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Dependencies: Run with `powershell`!\n##### Description: Administrative share must exist on #{remote}\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path \"\\\\127.0.0.1\\C$\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nWrite-Host 'Please Enable \"C$\" share on 127.0.0.1'\n\n```\n##### Description: \"\\\\#{remote}\\C$\\#{share_file}\" must exist on #{remote}\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path \"\\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nOut-File -FilePath \"\\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\"\n\n```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"Invoke-AtomicTest T1039 -TestNumbers 1 -GetPreReqs"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"#### Attack Commands: Run with `command_prompt`\n```command_prompt\ncopy \\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password %TEMP%\\Easter_egg.password```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"Invoke-AtomicTest T1039 -TestNumbers 1"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Atomic Test #2 - Copy a sensitive File over Administive share with Powershell\nCopy from sensitive File from the c$ of another LAN computer with powershell\nhttps://twitter.com/SBousseaden/status/1211636381086339073\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Dependencies: Run with `powershell`!\n##### Description: Administrative share must exist on #{remote}\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path \"\\\\127.0.0.1\\C$\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nWrite-Host 'Please Enable \"C$\" share on 127.0.0.1'\n\n```\n##### Description: \"\\\\#{remote}\\C$\\#{share_file}\" must exist on #{remote}\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path \"\\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nOut-File -FilePath \"\\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\"\n\n```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"Invoke-AtomicTest T1039 -TestNumbers 2 -GetPreReqs"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"#### Attack Commands: Run with `powershell`\n```powershell\ncopy-item -Path \"\\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\" -Destination \"$Env:TEMP\\Easter_egg.password\"```"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"Invoke-AtomicTest T1039 -TestNumbers 2"
]
},
{
Expand Down
Loading

0 comments on commit 3ea82d4

Please sign in to comment.