Skip to content

Latest commit

 

History

History
617 lines (606 loc) · 37.2 KB

index.md

File metadata and controls

617 lines (606 loc) · 37.2 KB

All Atomic Tests by ATT&CK Tactic & Technique

persistence

defense-evasion

  • T1134 Access Token Manipulation
    • Atomic Test #1: Access Token Manipulation [windows]
  • T1197 BITS Jobs
    • Atomic Test #1: Download & Execute [windows]
    • Atomic Test #2: Download & Execute via PowerShell BITS [windows]
  • T1009 Binary Padding CONTRIBUTE A TEST
  • T1088 Bypass User Account Control CONTRIBUTE A TEST
  • T1191 CMSTP
    • Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  • T1146 Clear Command History
    • Atomic Test #1: Clear Bash history (rm) [linux, macos]
    • Atomic Test #2: Clear Bash history (echo) [linux, macos]
    • Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
    • Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
    • Atomic Test #5: Clear Bash history (truncate) [linux]
    • Atomic Test #6: Clear history of a bunch of shells [linux, macos]
  • T1116 Code Signing CONTRIBUTE A TEST
  • T1109 Component Firmware CONTRIBUTE A TEST
  • T1122 Component Object Model Hijacking
    • Atomic Test #1: PowerShell UAC Bypass [windows]
  • T1196 Control Panel Items CONTRIBUTE A TEST
  • T1207 DCShadow
    • Atomic Test #1: DCShadow - Mimikatz [windows]
  • T1038 DLL Search Order Hijacking CONTRIBUTE A TEST
  • T1073 DLL Side-Loading CONTRIBUTE A TEST
  • T1140 Deobfuscate/Decode Files or Information
    • Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
  • T1089 Disabling Security Tools
    • Atomic Test #1: Disable iptables firewall [linux]
    • Atomic Test #2: Disable syslog [linux]
    • Atomic Test #3: Disable Cb Response [linux]
    • Atomic Test #4: Disable SELinux [linux]
    • Atomic Test #5: Disable Carbon Black Response [macos]
    • Atomic Test #6: Disable LittleSnitch [macos]
    • Atomic Test #7: Disable OpenDNS Umbrella [macos]
  • T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST
  • T1181 Extra Window Memory Injection CONTRIBUTE A TEST
  • T1107 File Deletion
    • Atomic Test #1: Victim configuration [linux]
    • Atomic Test #2: Delete a single file [linux]
    • Atomic Test #3: Delete an entire folder [linux]
    • Atomic Test #4: Overwrite and delete a file with shred [linux]
    • Atomic Test #5: Victim configuration [windows]
    • Atomic Test #6: Delete a single file - cmd [windows]
    • Atomic Test #7: Delete an entire folder - cmd [windows]
    • Atomic Test #8: Delete a single file - ps [windows]
    • Atomic Test #9: Delete an entire folder - ps [windows]
    • Atomic Test #10: Delete VSS - vssadmin [windows]
    • Atomic Test #11: Delete VSS - wmic [windows]
    • Atomic Test #12: bcdedit [windows]
    • Atomic Test #13: wbadmin [windows]
  • T1006 File System Logical Offsets CONTRIBUTE A TEST
  • T1144 Gatekeeper Bypass
    • Atomic Test #1: Gatekeeper Bypass [macos]
  • T1148 HISTCONTROL
    • Atomic Test #1: Disable history collection [linux, macos]
    • Atomic Test #2: Mac HISTCONTROL [macos, linux]
  • T1158 Hidden Files and Directories
    • Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
    • Atomic Test #2: Mac Hidden file [macos]
    • Atomic Test #3: Hidden file [macos, linux]
    • Atomic Test #4: Hidden files [macos]
    • Atomic Test #5: Hide a Directory [macos]
    • Atomic Test #6: Show all hidden files [macos]
    • Atomic Test #7: Create visible Directories [macos, linux]
    • Atomic Test #8: Create hidden directories and files [macos, linux]
    • Atomic Test #9: Create ADS command prompt [windows]
    • Atomic Test #10: Create ADS PowerShell [windows]
  • T1147 Hidden Users
    • Atomic Test #1: Hidden Users [macos]
  • T1143 Hidden Window CONTRIBUTE A TEST
  • T1183 Image File Execution Options Injection
    • Atomic Test #1: IFEO Add Debugger [windows]
    • Atomic Test #2: IFEO GLobal Flags [windows]
  • T1054 Indicator Blocking CONTRIBUTE A TEST
  • T1066 Indicator Removal from Tools CONTRIBUTE A TEST
  • T1070 Indicator Removal on Host
    • Atomic Test #1: Clear Logs [windows]
    • Atomic Test #2: FSUtil [windows]
    • Atomic Test #3: rm -rf [macos, linux]
  • T1202 Indirect Command Execution
    • Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
    • Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
  • T1130 Install Root Certificate
    • Atomic Test #1: Install root CA on CentOS/RHEL [linux]
  • T1118 InstallUtil
    • Atomic Test #1: InstallUtil uninstall method call [windows]
  • T1149 LC_MAIN Hijacking CONTRIBUTE A TEST
  • T1152 Launchctl
    • Atomic Test #1: Launchctl [macos]
  • T1036 Masquerading CONTRIBUTE A TEST
  • T1112 Modify Registry CONTRIBUTE A TEST
  • T1170 Mshta
    • Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  • T1096 NTFS File Attributes
    • Atomic Test #1: Alternate Data Streams (ADS) [windows]
  • T1126 Network Share Connection Removal
    • Atomic Test #1: Remove Network Share [windows]
    • Atomic Test #2: Remove Network Share PowerShell [windows]
  • T1027 Obfuscated Files or Information CONTRIBUTE A TEST
  • T1150 Plist Modification
    • Atomic Test #1: Plist Modification [macos]
  • T1205 Port Knocking CONTRIBUTE A TEST
  • T1186 Process Doppelgänging CONTRIBUTE A TEST
  • T1093 Process Hollowing CONTRIBUTE A TEST
  • T1055 Process Injection
    • Atomic Test #1: Process Injection via mavinject.exe [windows]
    • Atomic Test #2: Process Injection via PowerSploit [windows]
  • T1108 Redundant Access CONTRIBUTE A TEST
  • T1121 Regsvcs/Regasm
    • Atomic Test #1: Regasm Uninstall Method Call Test [windows]
    • Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
  • T1117 Regsvr32
    • Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
    • Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
    • Atomic Test #3: Regsvr32 local DLL execution [windows]
  • T1014 Rootkit
    • Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
    • Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
    • Atomic Test #3: LD_PRELOAD based Rootkit [linux]
  • T1085 Rundll32
    • Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
  • T1198 SIP and Trust Provider Hijacking CONTRIBUTE A TEST
  • T1064 Scripting CONTRIBUTE A TEST
  • T1218 Signed Binary Proxy Execution CONTRIBUTE A TEST
  • T1216 Signed Script Proxy Execution CONTRIBUTE A TEST
  • T1045 Software Packing CONTRIBUTE A TEST
  • T1151 Space after Filename
    • Atomic Test #1: Space After Filename [macos]
  • T1099 Timestomp
    • Atomic Test #1: Set a file's access timestamp [linux, macos]
    • Atomic Test #2: Set a file's modification timestamp [linux, macos]
    • Atomic Test #3: Set a file's creation timestamp [linux, macos]
  • T1127 Trusted Developer Utilities
    • Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
  • T1078 Valid Accounts CONTRIBUTE A TEST
  • T1102 Web Service CONTRIBUTE A TEST

privilege-escalation

discovery

  • T1087 Account Discovery
    • Atomic Test #1: List all accounts [linux, macos]
    • Atomic Test #2: View sudoers access [linux, macos]
    • Atomic Test #3: View accounts with UID 0 [linux, macos]
    • Atomic Test #4: List opened files by user [linux, macos]
    • Atomic Test #5: Show if a user account has ever logger in remotely [linux, macos]
    • Atomic Test #6: Enumerate Groups and users [linux, macos]
    • Atomic Test #7: Enumerate all user accounts [windows]
    • Atomic Test #8: Enumerate all user accounts - PowerShell [windows]
    • Atomic Test #9: Get logged on Users [windows]
    • Atomic Test #10: Get logged on users PowerShell [windows]
  • T1010 Application Window Discovery CONTRIBUTE A TEST
  • T1217 Browser Bookmark Discovery CONTRIBUTE A TEST
  • T1083 File and Directory Discovery
    • Atomic Test #1: File and Directory Discovery [windows]
    • Atomic Test #2: File and Directory Discovery [windows]
    • Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
    • Atomic Test #4: Nix File and Directory Discovery [macos, linux]
  • T1046 Network Service Scanning
    • Atomic Test #1: Port Scan [linux, macos]
    • Atomic Test #2: Port Scan Nmap [linux, macos]
  • T1135 Network Share Discovery
    • Atomic Test #1: Network Share Discovery [macos, linux]
    • Atomic Test #2: Network Share Discovery command prompt [windows]
    • Atomic Test #3: Network Share Discovery PowerShell [windows]
  • T1201 Password Policy Discovery
    • Atomic Test #1: Examine password complexity policy - Ubuntu [ubuntu]
    • Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [centos]
    • Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [centos]
    • Atomic Test #4: Examine password expiration policy - All Linux [linux]
  • T1120 Peripheral Device Discovery CONTRIBUTE A TEST
  • T1069 Permission Groups Discovery
    • Atomic Test #1: Permission Groups Discovery [macos, linux]
  • T1057 Process Discovery
    • Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
  • T1012 Query Registry
    • Atomic Test #1: Query Registry [windows]
  • T1018 Remote System Discovery
    • Atomic Test #1: Remote System Discovery - net [windows]
    • Atomic Test #2: Remote System Discover - ping sweep [windows]
    • Atomic Test #3: Remote System Discover - arp [windows]
    • Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
    • Atomic Test #5: Remote System Discovery - sweep [linux, macos]
  • T1063 Security Software Discovery
    • Atomic Test #1: Security Software Discovery [windows]
    • Atomic Test #2: Security Software Discovery - powershell [windows]
    • Atomic Test #3: Security Software Discovery - ps [linux, macos]
  • T1082 System Information Discovery
    • Atomic Test #1: System Information Discovery [windows]
    • Atomic Test #2: System Information Discovery [linux, macos]
    • Atomic Test #3: List OS Information [linux, macos]
  • T1016 System Network Configuration Discovery
    • Atomic Test #1: System Network Configuration Discovery [windows]
    • Atomic Test #2: System Network Configuration Discovery [macos, linux]
  • T1049 System Network Connections Discovery
    • Atomic Test #1: System Network Connections Discovery [windows]
    • Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
    • Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
  • T1033 System Owner/User Discovery
    • Atomic Test #1: System Owner/User Discovery [windows]
    • Atomic Test #2: System Owner/User Discovery [linux, macos]
  • T1007 System Service Discovery
    • Atomic Test #1: System Service Discovery [windows]
  • T1124 System Time Discovery
    • Atomic Test #1: System Time Discovery [windows]
    • Atomic Test #2: System Time Discovery - PowerShell [windows]

credential-access

execution

  • T1155 AppleScript
    • Atomic Test #1: AppleScript [macos]
  • T1191 CMSTP
    • Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  • T1059 Command-Line Interface
    • Atomic Test #1: Command-Line Interface [macos, centos, ubuntu, linux]
  • T1196 Control Panel Items CONTRIBUTE A TEST
  • T1173 Dynamic Data Exchange
    • Atomic Test #1: Execute Commands [windows]
  • T1106 Execution through API CONTRIBUTE A TEST
  • T1129 Execution through Module Load CONTRIBUTE A TEST
  • T1203 Exploitation for Client Execution CONTRIBUTE A TEST
  • T1061 Graphical User Interface CONTRIBUTE A TEST
  • T1118 InstallUtil
    • Atomic Test #1: InstallUtil uninstall method call [windows]
  • T1177 LSASS Driver CONTRIBUTE A TEST
  • T1152 Launchctl
    • Atomic Test #1: Launchctl [macos]
  • T1168 Local Job Scheduling
    • Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
    • Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
  • T1170 Mshta
    • Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  • T1086 PowerShell
    • Atomic Test #1: Mimikatz [windows]
    • Atomic Test #2: BloodHound [windows]
    • Atomic Test #3: Obfuscation Tests [windows]
    • Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
    • Atomic Test #5: Invoke-AppPathBypass [windows]
    • Atomic Test #6: PowerShell Add User [windows]
    • Atomic Test #7: Powershell MsXml COM object [windows]
    • Atomic Test #8: Powershell XML requests [windows]
    • Atomic Test #9: Powershell invoke mshta.exe download [windows]
    • Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
  • T1121 Regsvcs/Regasm
    • Atomic Test #1: Regasm Uninstall Method Call Test [windows]
    • Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
  • T1117 Regsvr32
    • Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
    • Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
    • Atomic Test #3: Regsvr32 local DLL execution [windows]
  • T1085 Rundll32
    • Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
  • T1053 Scheduled Task
    • Atomic Test #1: At.exe Scheduled task [windows]
    • Atomic Test #2: Scheduled task Local [windows]
    • Atomic Test #3: Scheduled task Remote [windows]
  • T1064 Scripting CONTRIBUTE A TEST
  • T1035 Service Execution CONTRIBUTE A TEST
  • T1218 Signed Binary Proxy Execution CONTRIBUTE A TEST
  • T1216 Signed Script Proxy Execution CONTRIBUTE A TEST
  • T1153 Source CONTRIBUTE A TEST
  • T1151 Space after Filename
    • Atomic Test #1: Space After Filename [macos]
  • T1072 Third-party Software CONTRIBUTE A TEST
  • T1154 Trap
    • Atomic Test #1: Trap [macos, centos, ubuntu, linux]
  • T1127 Trusted Developer Utilities
    • Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
  • T1204 User Execution CONTRIBUTE A TEST
  • T1047 Windows Management Instrumentation
    • Atomic Test #1: WMI Reconnaissance Users [windows]
    • Atomic Test #2: WMI Reconnaissance Processes [windows]
    • Atomic Test #3: WMI Reconnaissance Software [windows]
    • Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
  • T1028 Windows Remote Management
    • Atomic Test #1: Enable Windows Remote Management [windows]
    • Atomic Test #2: PowerShell Lateral Movement [windows]
    • Atomic Test #3: WMIC Process Call Create [windows]
    • Atomic Test #4: Psexec [windows]
    • Atomic Test #5: Invoke-Command [windows]

lateral-movement

collection

exfiltration

  • T1020 Automated Exfiltration CONTRIBUTE A TEST
  • T1002 Data Compressed
    • Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
    • Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
    • Atomic Test #3: Data Compressed - nix [linux, macos]
  • T1022 Data Encrypted
    • Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
  • T1030 Data Transfer Size Limits
    • Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
  • T1048 Exfiltration Over Alternative Protocol
    • Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, centos, ubuntu, linux]
    • Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, centos, ubuntu, linux]
    • Atomic Test #3: Exfiltration Over Alternative Protocol - HTTP [macos, centos, ubuntu, linux]
  • T1041 Exfiltration Over Command and Control Channel CONTRIBUTE A TEST
  • T1011 Exfiltration Over Other Network Medium CONTRIBUTE A TEST
  • T1052 Exfiltration Over Physical Medium CONTRIBUTE A TEST
  • T1029 Scheduled Transfer CONTRIBUTE A TEST

command-and-control

initial-access