Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1002/T1002.md

@@ -1,16 +1,6 @@
 # T1002 - Data Compressed
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
-<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
-
-Detection: Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used.
-
-If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
-
-Requires Network: No</blockquote>
+<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.</blockquote>
 
 ## Atomic Tests
 

atomics/T1003/T1003.md

@@ -4,17 +4,21 @@
 
 Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
 
-===SAM (Security Accounts Manager)===
+### Windows
 
-The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command.  To enumerate the SAM database, system level access is required.
+#### SAM (Security Accounts Manager)
+
+The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.
 
 A number of tools can be used to retrieve the SAM file through in-memory techniques:
+
 * pwdumpx.exe 
-* gsecdump
-* Mimikatz
+* [gsecdump](https://attack.mitre.org/software/S0008)
+* [Mimikatz](https://attack.mitre.org/software/S0002)
 * secretsdump.py
 
-Alternatively, the SAM can be extracted from the Registry with Reg:
+Alternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):
+
 * <code>reg save HKLM\sam sam</code>
 * <code>reg save HKLM\system system</code>
 
@@ -25,30 +29,32 @@ Rid 500 account is the local, in-built administrator.
 Rid 501 is the guest account.
 User accounts start with a RID of 1,000+.
 
-===Cached Credentials===
+#### Cached Credentials
 
-The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable.  The number of default cached credentials varies, and this number can be altered per system.  This hash does not allow pass-the-hash style attacks.
+The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.
 
 A number of tools can be used to retrieve the SAM file through in-memory techniques.
+
 * pwdumpx.exe 
-* gsecdump
-* Mimikatz
+* [gsecdump](https://attack.mitre.org/software/S0008)
+* [Mimikatz](https://attack.mitre.org/software/S0002)
 
 Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
 
 Notes:
 Cached credentials for Windows Vista are derived using PBKDF2.
 
-===Local Security Authority (LSA) Secrets===
+#### Local Security Authority (LSA) Secrets
 
 With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.
 
 When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.
 
 A number of tools can be used to retrieve the SAM file through in-memory techniques.
+
 * pwdumpx.exe 
-* gsecdump
-* Mimikatz
+* [gsecdump](https://attack.mitre.org/software/S0008)
+* [Mimikatz](https://attack.mitre.org/software/S0002)
 * secretsdump.py
 
 Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
@@ -57,85 +63,74 @@ Notes:
 The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.
 Windows 10 adds protections for LSA Secrets described in Mitigation.
 
-===NTDS from Domain Controller===
+#### NTDS from Domain Controller
 
 Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)
 
 The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
- 
+
 * Volume Shadow Copy
 * secretsdump.py
 * Using the in-built Windows tool, ntdsutil.exe
 * Invoke-NinjaCopy
 
-===Group Policy Preference (GPP) Files===
+#### Group Policy Preference (GPP) Files
 
 Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.
- 
+
 These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)
- 
+
 The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
- 
+
 * Metasploit’s post exploitation module: "post/windows/gather/credentials/gpp"
 * Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)
 * gpprefdecrypt.py
- 
+
 Notes:
 On the SYSVOL share, the following can be used to enumerate potential XML files.
-dir /s *.xml
+dir /s * .xml
 
-===Service Principle Names (SPNs)===
+#### Service Principal Names (SPNs)
 
-See Kerberoasting.
+See [Kerberoasting](https://attack.mitre.org/techniques/T1208).
 
-===Plaintext Credentials===
+#### Plaintext Credentials
 
 After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.
- 
+
 SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.
 
 The following SSPs can be used to access credentials:
- 
+
 Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
 Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)
 Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
 CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)
 
 The following tools can be used to enumerate credentials:
- 
-* Windows Credential Editor
-* Mimikatz
- 
+
+* [Windows Credential Editor](https://attack.mitre.org/software/S0005)
+* [Mimikatz](https://attack.mitre.org/software/S0002)
+
 As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
- 
+
 For example, on the target host use procdump:
 * <code>procdump -ma lsass.exe lsass_dump</code>
- 
+
 Locally, mimikatz can be run:
+
 * <code>sekurlsa::Minidump lsassdump.dmp</code>
 * <code>sekurlsa::logonPasswords</code>
 
-===DCSync=== 
-
-DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's  application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller.  Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data  (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation. (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)
-
-Detection: Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.
-
-Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well. 
-
-On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.
-
-Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
-
-Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols  (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)
+#### DCSync
 
-Platforms: Windows
+DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's  application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)
 
-Data Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs
+### Linux
 
-Permissions Required: Administrator, SYSTEM
+#### Proc filesystem
 
-Contributors: Vincent Le Toux, Ed Williams, Trustwave, SpiderLabs</blockquote>
+The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
 
 ## Atomic Tests
 

atomics/T1007/T1007.md

@@ -1,16 +1,6 @@
 # T1007 - System Service Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1007)
-<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
-Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: Windows
-
-Data Sources: Process command-line parameters, Process monitoring
-
-Permissions Required: User, Administrator, SYSTEM</blockquote>
+<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well.</blockquote>
 
 ## Atomic Tests
 

atomics/T1009/T1009.md

@@ -1,14 +1,6 @@
 # T1009 - Binary Padding
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1009)
-<blockquote>Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.
-
-Detection: Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. 
-
-When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file.
-
-Platforms: Linux, macOS, Windows
-
-Defense Bypassed: Anti-virus, Signature-based detection</blockquote>
+<blockquote>Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.</blockquote>
 
 ## Atomic Tests
 

atomics/T1012/T1012.md

@@ -2,17 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1012)
 <blockquote>Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
 
-The Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
-Interaction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: Windows
-
-Data Sources: Windows Registry, Process monitoring, Process command-line parameters
-
-Permissions Required: User, Administrator, SYSTEM</blockquote>
+The Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.</blockquote>
 
 ## Atomic Tests