Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1690-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1693-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -1646,7 +1646,7 @@ credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Cra
 credential-access,T1649,Steal or Forge Authentication Certificates,1,Staging Local Certificates via Export-Certificate,eb121494-82d1-4148-9e2b-e624e03fbf3d,powershell
 credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.003,Unsecured Credentials: Bash History,2,Search Through sh History,d87d3b94-05b4-40f2-a80f-99864ffa6803,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,37807632-d3da-442e-8c2e-00f44928ff8f,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
@@ -1660,6 +1660,9 @@ credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPw
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,13,List Credential Files via PowerShell,0d4f2281-f720-4572-adc8-d5bb1618affe,powershell
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,14,List Credential Files via Command Prompt,b0cdacf6-8949-4ffe-9274-a9643a788e55,command_prompt
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
 credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -310,9 +310,12 @@ credential-access,T1552.004,Unsecured Credentials: Private Keys,7,Copy the users
 credential-access,T1552.004,Unsecured Credentials: Private Keys,8,Copy the users GnuPG directory with rsync (freebsd),b05ac39b-515f-48e9-88e9-2f141b5bcad0,sh
 credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.003,Unsecured Credentials: Bash History,2,Search Through sh History,d87d3b94-05b4-40f2-a80f-99864ffa6803,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,37807632-d3da-442e-8c2e-00f44928ff8f,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
 credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
 credential-access,T1110.004,Brute Force: Credential Stuffing,3,SSH Credential Stuffing From FreeBSD,a790d50e-7ebf-48de-8daa-d9367e0911d4,sh
 credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -200,10 +200,13 @@ credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Priva
 credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
 credential-access,T1552.004,Unsecured Credentials: Private Keys,7,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
 credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,37807632-d3da-442e-8c2e-00f44928ff8f,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
 credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spoofing a credential prompt using osascript,b7037b89-947a-427a-ba29-e7e9f09bc045,bash
 credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash

atomics/Indexes/Indexes-Markdown/index.md

@@ -2288,6 +2288,9 @@
   - Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
   - Atomic Test #13: List Credential Files via PowerShell [windows]
   - Atomic Test #14: List Credential Files via Command Prompt [windows]
+  - Atomic Test #15: Find Azure credentials [macos, linux]
+  - Atomic Test #16: Find GCP credentials [macos, linux]
+  - Atomic Test #17: Find OCI credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1528 Steal Application Access Token](../../T1528/T1528.md)
   - Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -668,6 +668,9 @@
   - Atomic Test #1: Find AWS credentials [macos, linux]
   - Atomic Test #3: Extract passwords with grep [linux, macos]
   - Atomic Test #6: Find and Access Github Credentials [linux, macos]
+  - Atomic Test #15: Find Azure credentials [macos, linux]
+  - Atomic Test #16: Find GCP credentials [macos, linux]
+  - Atomic Test #17: Find OCI credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1552.006 Unsecured Credentials: Group Policy Preferences [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -588,6 +588,9 @@
   - Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
   - Atomic Test #3: Extract passwords with grep [linux, macos]
   - Atomic Test #6: Find and Access Github Credentials [linux, macos]
+  - Atomic Test #15: Find Azure credentials [macos, linux]
+  - Atomic Test #16: Find GCP credentials [macos, linux]
+  - Atomic Test #17: Find OCI credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1552.006 Unsecured Credentials: Group Policy Preferences [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -95952,7 +95952,7 @@ credential-access:
       identifier: T1552.001
     atomic_tests:
     - name: Find AWS credentials
-      auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
+      auto_generated_guid: 37807632-d3da-442e-8c2e-00f44928ff8f
       description: 'Find local AWS credentials from file, defaults to using / as the
         look path.
 
@@ -95966,7 +95966,7 @@ credential-access:
           type: string
           default: "/"
       executor:
-        command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+        command: 'find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
 
           '
         name: sh
@@ -96153,6 +96153,65 @@ credential-access:
           dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
         name: command_prompt
         elevation_required: true
+    - name: Find Azure credentials
+      auto_generated_guid: a8f6148d-478a-4f43-bc62-5efee9f931a4
+      description: 'Find local Azure credentials from file, defaults to using / as
+        the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.azure -name "msal_token_cache.json" -o -name
+          "accessTokens.json" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find GCP credentials
+      auto_generated_guid: aa12eb29-2dbb-414e-8b20-33d34af93543
+      description: 'Find local Google Cloud Platform credentials from file, defaults
+        to using / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.config/gcloud -name "credentials.db" -o -name
+          "access_tokens.db" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find OCI credentials
+      auto_generated_guid: 9d9c22c9-fa97-4008-a204-478cf68c40af
+      description: 'Find local Oracle cloud credentials from file, defaults to using
+        / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
+
+          '
+        name: sh
   T1606.001:
     technique:
       modified: '2023-09-19T21:25:10.511Z'

atomics/Indexes/linux-index.yaml

@@ -56491,7 +56491,7 @@ credential-access:
       identifier: T1552.001
     atomic_tests:
     - name: Find AWS credentials
-      auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
+      auto_generated_guid: 37807632-d3da-442e-8c2e-00f44928ff8f
       description: 'Find local AWS credentials from file, defaults to using / as the
         look path.
 
@@ -56505,7 +56505,7 @@ credential-access:
           type: string
           default: "/"
       executor:
-        command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+        command: 'find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
 
           '
         name: sh
@@ -56548,6 +56548,65 @@ credential-access:
           echo $file ; cat $file ; done
 
           '
+    - name: Find Azure credentials
+      auto_generated_guid: a8f6148d-478a-4f43-bc62-5efee9f931a4
+      description: 'Find local Azure credentials from file, defaults to using / as
+        the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.azure -name "msal_token_cache.json" -o -name
+          "accessTokens.json" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find GCP credentials
+      auto_generated_guid: aa12eb29-2dbb-414e-8b20-33d34af93543
+      description: 'Find local Google Cloud Platform credentials from file, defaults
+        to using / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.config/gcloud -name "credentials.db" -o -name
+          "access_tokens.db" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find OCI credentials
+      auto_generated_guid: 9d9c22c9-fa97-4008-a204-478cf68c40af
+      description: 'Find local Oracle cloud credentials from file, defaults to using
+        / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
+
+          '
+        name: sh
   T1606.001:
     technique:
       modified: '2023-09-19T21:25:10.511Z'

atomics/Indexes/macos-index.yaml

@@ -52222,7 +52222,7 @@ credential-access:
       identifier: T1552.001
     atomic_tests:
     - name: Find AWS credentials
-      auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
+      auto_generated_guid: 37807632-d3da-442e-8c2e-00f44928ff8f
       description: 'Find local AWS credentials from file, defaults to using / as the
         look path.
 
@@ -52236,7 +52236,7 @@ credential-access:
           type: string
           default: "/"
       executor:
-        command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+        command: 'find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
 
           '
         name: sh
@@ -52290,6 +52290,65 @@ credential-access:
           echo $file ; cat $file ; done
 
           '
+    - name: Find Azure credentials
+      auto_generated_guid: a8f6148d-478a-4f43-bc62-5efee9f931a4
+      description: 'Find local Azure credentials from file, defaults to using / as
+        the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.azure -name "msal_token_cache.json" -o -name
+          "accessTokens.json" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find GCP credentials
+      auto_generated_guid: aa12eb29-2dbb-414e-8b20-33d34af93543
+      description: 'Find local Google Cloud Platform credentials from file, defaults
+        to using / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.config/gcloud -name "credentials.db" -o -name
+          "access_tokens.db" -type f 2>/dev/null
+
+          '
+        name: sh
+    - name: Find OCI credentials
+      auto_generated_guid: 9d9c22c9-fa97-4008-a204-478cf68c40af
+      description: 'Find local Oracle cloud credentials from file, defaults to using
+        / as the look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
+
+          '
+        name: sh
   T1606.001:
     technique:
       modified: '2023-09-19T21:25:10.511Z'