[pull] master from redcanaryco:master

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1554-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1556-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -1677,6 +1677,7 @@ discovery,T1135,Network Share Discovery,8,PowerView ShareFinder,d07e4cc1-98ae-44
 discovery,T1135,Network Share Discovery,9,WinPwn - shareenumeration,987901d1-5b87-4558-a6d9-cffcabc638b8,powershell
 discovery,T1135,Network Share Discovery,10,Network Share Discovery via dir command,13daa2cf-195a-43df-a8bd-7dd5ffb607b5,command_prompt
 discovery,T1135,Network Share Discovery,11,Enumerate All Network Shares with SharpShares,d1fa2a69-b0a2-4e8a-9112-529b00c19a41,powershell
+discovery,T1135,Network Share Discovery,12,Enumerate All Network Shares with Snaffler,b19d74b7-5e72-450a-8499-82e49e379d1a,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
 discovery,T1120,Peripheral Device Discovery,3,Peripheral Device Discovery via fsutil,424e18fd-48b8-4201-8d3a-bf591523a686,command_prompt
@@ -1762,6 +1763,7 @@ discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54
 discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
 discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
 discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
+discovery,T1057,Process Discovery,7,Process Discovery - Process Hacker,966f4c16-1925-4d9b-8ce0-01334ee0867d,powershell
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -1112,6 +1112,7 @@ discovery,T1135,Network Share Discovery,8,PowerView ShareFinder,d07e4cc1-98ae-44
 discovery,T1135,Network Share Discovery,9,WinPwn - shareenumeration,987901d1-5b87-4558-a6d9-cffcabc638b8,powershell
 discovery,T1135,Network Share Discovery,10,Network Share Discovery via dir command,13daa2cf-195a-43df-a8bd-7dd5ffb607b5,command_prompt
 discovery,T1135,Network Share Discovery,11,Enumerate All Network Shares with SharpShares,d1fa2a69-b0a2-4e8a-9112-529b00c19a41,powershell
+discovery,T1135,Network Share Discovery,12,Enumerate All Network Shares with Snaffler,b19d74b7-5e72-450a-8499-82e49e379d1a,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
 discovery,T1120,Peripheral Device Discovery,3,Peripheral Device Discovery via fsutil,424e18fd-48b8-4201-8d3a-bf591523a686,command_prompt
@@ -1169,6 +1170,7 @@ discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54
 discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
 discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
 discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
+discovery,T1057,Process Discovery,7,Process Discovery - Process Hacker,966f4c16-1925-4d9b-8ce0-01334ee0867d,powershell
 discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
 discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -2334,6 +2334,7 @@
   - Atomic Test #9: WinPwn - shareenumeration [windows]
   - Atomic Test #10: Network Share Discovery via dir command [windows]
   - Atomic Test #11: Enumerate All Network Shares with SharpShares [windows]
+  - Atomic Test #12: Enumerate All Network Shares with Snaffler [windows]
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
   - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
   - Atomic Test #2: WinPwn - printercheck [windows]
@@ -2437,6 +2438,7 @@
   - Atomic Test #4: Process Discovery - get-wmiObject [windows]
   - Atomic Test #5: Process Discovery - wmic process [windows]
   - Atomic Test #6: Discover Specific Process - tasklist [windows]
+  - Atomic Test #7: Process Discovery - Process Hacker [windows]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
   - Atomic Test #1: Permission Groups Discovery (Local) [linux, macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1618,6 +1618,7 @@
   - Atomic Test #9: WinPwn - shareenumeration [windows]
   - Atomic Test #10: Network Share Discovery via dir command [windows]
   - Atomic Test #11: Enumerate All Network Shares with SharpShares [windows]
+  - Atomic Test #12: Enumerate All Network Shares with Snaffler [windows]
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
   - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
   - Atomic Test #2: WinPwn - printercheck [windows]
@@ -1690,6 +1691,7 @@
   - Atomic Test #4: Process Discovery - get-wmiObject [windows]
   - Atomic Test #5: Process Discovery - wmic process [windows]
   - Atomic Test #6: Discover Specific Process - tasklist [windows]
+  - Atomic Test #7: Process Discovery - Process Hacker [windows]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
   - Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]

atomics/Indexes/index.yaml

@@ -27413,7 +27413,7 @@ defense-evasion:
     - name: Delete Prefetch File
       auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb
       description: |
-        Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count"
+        Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run `(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count`
         before and after the test to verify that the number of prefetch files decreases by 1.
       supported_platforms:
       - windows
@@ -98846,6 +98846,38 @@ discovery:
         cleanup_command: remove-item "#{output_path}" -force -erroraction silentlycontinue
         name: powershell
         elevation_required: false
+    - name: Enumerate All Network Shares with Snaffler
+      auto_generated_guid: b19d74b7-5e72-450a-8499-82e49e379d1a
+      description: "Snaffler is an open-source tool that has been used by various
+        threat groups, including Scattered Spider/Muddled Libra, to enumerate accessible
+        shares and credential-containing files within a domain. \n[Reference](https://unit42.paloaltonetworks.com/muddled-libra/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: File to output enumeration results to
+          type: String
+          default: "$env:temp\\T1135SnafflerOutput.txt"
+        snaffler_path:
+          description: Path to the Snaffler executable
+          type: String
+          default: PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: The Snaffler executable must exist on disk
+        prereq_command: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe")
+          {exit 0} else {exit 1}
+        get_prereq_command: |-
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://github.com/SnaffCon/Snaffler/releases/download/1.0.150/Snaffler.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe"
+      executor:
+        command: 'invoke-expression ''cmd /c start powershell -command { cmd /c "#{snaffler_path}"
+          -a -o "#{output_path}" }; start-sleep 90; stop-process -name "snaffler"''
+
+          '
+        cleanup_command: remove-item "#{output_path}" -force -erroraction silentlycontinue
+        name: powershell
+        elevation_required: false
   T1120:
     technique:
       modified: '2023-05-09T14:00:00.188Z'
@@ -101880,6 +101912,36 @@ discovery:
 
           '
         name: command_prompt
+    - name: Process Discovery - Process Hacker
+      auto_generated_guid: 966f4c16-1925-4d9b-8ce0-01334ee0867d
+      description: Process Hacker can be exploited to infiltrate system processes,
+        identify weak points, or achieve unauthorized control over systems. However,
+        its malicious use can often be flagged by security defenses, rendering it
+        a perilous tool for illegitimate purposes.
+      supported_platforms:
+      - windows
+      input_arguments:
+        processhacker_exe:
+          description: Process hacker installation executables.
+          type: string
+          default: ProcessHacker.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Process Hacker must be installed in the location
+        prereq_command: 'if (Test-Path "c:\Program Files\Process Hacker 2\#{processhacker_exe}")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |-
+          Write-Host Downloading Process Hacker
+          New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "C:\Temp\ExternalPayloads\processhacker-2.39-setup.exe"
+          Write-Host Installing Process Hacker
+          Start-Process "c:\Temp\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s"
+      executor:
+        command: Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
+        name: powershell
+        elevation_required: true
   T1497.002:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -22492,7 +22492,7 @@ defense-evasion:
     - name: Delete Prefetch File
       auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb
       description: |
-        Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count"
+        Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run `(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count`
         before and after the test to verify that the number of prefetch files decreases by 1.
       supported_platforms:
       - windows
@@ -81173,6 +81173,38 @@ discovery:
         cleanup_command: remove-item "#{output_path}" -force -erroraction silentlycontinue
         name: powershell
         elevation_required: false
+    - name: Enumerate All Network Shares with Snaffler
+      auto_generated_guid: b19d74b7-5e72-450a-8499-82e49e379d1a
+      description: "Snaffler is an open-source tool that has been used by various
+        threat groups, including Scattered Spider/Muddled Libra, to enumerate accessible
+        shares and credential-containing files within a domain. \n[Reference](https://unit42.paloaltonetworks.com/muddled-libra/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: File to output enumeration results to
+          type: String
+          default: "$env:temp\\T1135SnafflerOutput.txt"
+        snaffler_path:
+          description: Path to the Snaffler executable
+          type: String
+          default: PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: The Snaffler executable must exist on disk
+        prereq_command: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe")
+          {exit 0} else {exit 1}
+        get_prereq_command: |-
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://github.com/SnaffCon/Snaffler/releases/download/1.0.150/Snaffler.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe"
+      executor:
+        command: 'invoke-expression ''cmd /c start powershell -command { cmd /c "#{snaffler_path}"
+          -a -o "#{output_path}" }; start-sleep 90; stop-process -name "snaffler"''
+
+          '
+        cleanup_command: remove-item "#{output_path}" -force -erroraction silentlycontinue
+        name: powershell
+        elevation_required: false
   T1120:
     technique:
       modified: '2023-05-09T14:00:00.188Z'
@@ -83464,6 +83496,36 @@ discovery:
 
           '
         name: command_prompt
+    - name: Process Discovery - Process Hacker
+      auto_generated_guid: 966f4c16-1925-4d9b-8ce0-01334ee0867d
+      description: Process Hacker can be exploited to infiltrate system processes,
+        identify weak points, or achieve unauthorized control over systems. However,
+        its malicious use can often be flagged by security defenses, rendering it
+        a perilous tool for illegitimate purposes.
+      supported_platforms:
+      - windows
+      input_arguments:
+        processhacker_exe:
+          description: Process hacker installation executables.
+          type: string
+          default: ProcessHacker.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Process Hacker must be installed in the location
+        prereq_command: 'if (Test-Path "c:\Program Files\Process Hacker 2\#{processhacker_exe}")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |-
+          Write-Host Downloading Process Hacker
+          New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "C:\Temp\ExternalPayloads\processhacker-2.39-setup.exe"
+          Write-Host Installing Process Hacker
+          Start-Process "c:\Temp\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s"
+      executor:
+        command: Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
+        name: powershell
+        elevation_required: true
   T1497.002:
     technique:
       x_mitre_platforms:

atomics/T1016.002/T1016.002.yaml

@@ -0,0 +1,13 @@
+attack_technique: T1016.002
+display_name: "System Network Configuration Discovery: Wi-Fi Discovery"
+atomic_tests:
+- name: Enumerate Stored Wi-Fi Profiles And Passwords via netsh
+  auto_generated_guid:
+  description: Upon successful execution, information about previously connected Wi-Fi networks will be displayed with their corresponding key (if present).
+  supported_platforms:
+  - windows
+  executor:
+    command: netsh wlan show profile * key=clear
+    cleanup_command:
+    name: command_prompt
+    elevation_required: false

atomics/T1018/T1018.yaml

@@ -404,3 +404,32 @@ atomic_tests:
     command: |
       net group /domain "Domain controllers"
     name: command_prompt
+- name: Enumerate Remote Hosts with Netscan
+  description: This test uses Netscan to identify remote hosts in a specified network range. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    netscan_path:
+      description: NetScan exe location
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\netscan\64-bit\netscan.exe'
+    range_to_scan:
+      description: The IP range to scan with Netscan
+      type: string
+      default: '127.0.0.1-127.0.0.1'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Netscan must be installed
+    prereq_command: 'if (Test-Path "#{netscan_path}") {exit 0} else {exit 1}'
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" "https://www.softperfect.com/download/files/netscan_portable.zip"
+      Expand-Archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\netscan"
+  executor:
+    command: |-
+      cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'
+    cleanup_command: |
+      remove-item "$env:temp\T1018NetscanOutput.txt" -force -erroraction silentlycontinue
+    name: powershell
+    elevation_required: false

atomics/T1057/T1057.md

@@ -20,6 +20,8 @@ On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T10
 
 - [Atomic Test #6 - Discover Specific Process - tasklist](#atomic-test-6---discover-specific-process---tasklist)
 
+- [Atomic Test #7 - Process Discovery - Process Hacker](#atomic-test-7---process-discovery---process-hacker)
+
 
 <br/>
 
@@ -214,4 +216,53 @@ tasklist | findstr #{process_to_enumerate}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - Process Discovery - Process Hacker
+Process Hacker can be exploited to infiltrate system processes, identify weak points, or achieve unauthorized control over systems. However, its malicious use can often be flagged by security defenses, rendering it a perilous tool for illegitimate purposes.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 966f4c16-1925-4d9b-8ce0-01334ee0867d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| processhacker_exe | Process hacker installation executables. | string | ProcessHacker.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Process Hacker must be installed in the location
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "c:\Program Files\Process Hacker 2\#{processhacker_exe}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Downloading Process Hacker
+New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "C:\Temp\ExternalPayloads\processhacker-2.39-setup.exe"
+Write-Host Installing Process Hacker
+Start-Process "c:\Temp\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s"
+```
+
+
+
+
 <br/>