backslash fix for markdown (redcanaryco#881)

atomic_red_team/atomic_doc_template.md.erb

@@ -24,12 +24,16 @@
   end
 end.join(', ') %>
 
+<%def cleanup(input)
+    input.to_s.strip.gsub(/\\/,"&#92;")
+end%>
+
 <% if test['input_arguments'].to_a.count > 0 %>
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 <% test['input_arguments'].each do |arg_name, arg_options| -%>
-| <%= arg_name.to_s.strip %> | <%= arg_options['description'].to_s.strip %> | <%= arg_options['type'].to_s.strip %> | <%= arg_options['default'].to_s.strip %>|
+| <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
 <% end -%>
 <% end -%>
 

atomics/T1002/T1002.md

@@ -23,11 +23,13 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_file | Path that should be compressed into our output file | Path | $env:USERPROFILE|
-| output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE\data.zip|
+| output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE\data.zip|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -55,13 +57,15 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | input_path | Path that should be compressed into our output file | Path | %USERPROFILE%|
 | file_extension | Extension of files to compress | String | .txt|
-| output_file | Path where resulting compressed data should be placed | Path | %USERPROFILE%\data.rar|
-| rar_installer | Winrar installer | Path | %TEMP%\winrar.exe|
+| output_file | Path where resulting compressed data should be placed | Path | %USERPROFILE%\data.rar|
+| rar_installer | Winrar installer | Path | %TEMP%\winrar.exe|
 | rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe|
 
 
@@ -105,6 +109,8 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Linux, macOS
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
@@ -149,6 +155,8 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Linux, macOS
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
@@ -181,6 +189,8 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Linux, macOS
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|

atomics/T1003/T1003.md

@@ -172,6 +172,8 @@ Dumps credentials from memory via Powershell by invoking a remote mimikatz scrip
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
@@ -199,10 +201,12 @@ Dump credentials from memory using Gsecdump
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder\T1003\bin\gsecdump.exe|
+| gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder\T1003\bin\gsecdump.exe|
 | gsecdump_url | Path to download Gsecdump binary file | url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|
 | gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
 
@@ -244,11 +248,13 @@ Dump credentials from memory using Windows Credential Editor from https://www.am
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Path where resulting data should be placed | Path | %temp%\output.txt|
-| wce_exe | Path of Windows Credential Editor executable | Path | PathToAtomicsFolder\T1003\bin\wce.exe|
+| output_file | Path where resulting data should be placed | Path | %temp%\output.txt|
+| wce_exe | Path of Windows Credential Editor executable | Path | PathToAtomicsFolder\T1003\bin\wce.exe|
 | wce_url | Path to download Windows Credential Editor zip file | url | https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip|
 | wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933|
 
@@ -294,6 +300,8 @@ via three registry keys. Then processed locally using https://github.com/Neohaps
 
 
 
+
+
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
 
 
@@ -324,11 +332,13 @@ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysin
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp|
-| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003\bin\procdump.exe|
+| output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp|
+| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003\bin\procdump.exe|
 
 
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -372,6 +382,8 @@ Manager and administrative permissions.
 **Supported Platforms:** Windows
 
 
+
+
 #### Run it with these steps! 
 1. Open Task Manager:
   On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
@@ -400,11 +412,13 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder\T1003\bin\mimikatz.exe|
-| input_file | Path of the Lsass dump | Path | %tmp%\lsass.DMP|
+| mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder\T1003\bin\mimikatz.exe|
+| input_file | Path of the Lsass dump | Path | %tmp%\lsass.DMP|
 
 
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -454,10 +468,12 @@ subsequent domain controllers without the need of network-based replication.
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_folder | Path where resulting dump should be placed | Path | C:\Windows\Temp|
+| output_folder | Path where resulting dump should be placed | Path | C:\Windows\Temp|
 
 
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -493,6 +509,8 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
@@ -536,11 +554,13 @@ This test must be executed on a Windows Domain Controller.
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1|
-| extract_path | Path for extracted NTDS.dit | Path | C:\Windows\Temp|
+| vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1|
+| extract_path | Path for extracted NTDS.dit | Path | C:\Windows\Temp|
 
 
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -603,6 +623,8 @@ Look for the encrypted cpassword value within Group Policy Preference files on t
 
 
 
+
+
 #### Attack Commands: Run with `command_prompt`! 
 
 
@@ -636,10 +658,12 @@ Look for the encrypted cpassword value within Group Policy Preference files on t
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| gpp_script_path | Path to the Get-GPPPassword PowerShell Script | Path | PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1|
+| gpp_script_path | Path to the Get-GPPPassword PowerShell Script | Path | PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1|
 | gpp_script_url | URL of the Get-GPPPassword PowerShell Script | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/87630cac639f29c2adcb163f661f02890adf4bdd/Exfiltration/Get-GPPPassword.ps1|
 
 
@@ -689,6 +713,8 @@ Parses secrets hidden in the LSASS process with python. Similar to mimikatz's se
 
 
 
+
+
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
 
 
@@ -741,6 +767,8 @@ Parses registry hives to obtain stored credentials
 
 
 
+
+
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
 
 

atomics/T1004/T1004.md

@@ -27,10 +27,12 @@ PowerShell code to set Winlogon shell key to execute a binary at logon along wit
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
+| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -58,10 +60,12 @@ PowerShell code to set Winlogon userinit key to execute a binary at logon along
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
+| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -89,10 +93,12 @@ PowerShell code to set Winlogon Notify key to execute a notification package DLL
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll|
+| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll|
 
 
 #### Attack Commands: Run with `powershell`! 

atomics/T1005/T1005.md

@@ -18,6 +18,8 @@ This test uses `grep` to search a macOS Safari binaryCookies file for specified
 **Supported Platforms:** macOS
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|

atomics/T1007/T1007.md

@@ -18,6 +18,8 @@ Identify system services
 
 
 
+
+
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
 
 
@@ -41,10 +43,12 @@ Enumerates started system services using net.exe and writes them to a file. This
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
+| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
 
 
 #### Attack Commands: Run with `command_prompt`! 

atomics/T1009/T1009.md

@@ -18,6 +18,8 @@ Uses dd to add a zero to the binary to change the hash
 **Supported Platforms:** macOS, Linux
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|

atomics/T1010/T1010.md

@@ -17,11 +17,13 @@ Compiles and executes C# code to list main window titles associated with each pr
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| input_source_code | Path to source of C# code | path | PathToAtomicsFolder\T1010\src\T1010.cs|
-| output_file_name | Name of output binary | string | $env:TEMP\T1010.exe|
+| input_source_code | Path to source of C# code | path | PathToAtomicsFolder\T1010\src\T1010.cs|
+| output_file_name | Name of output binary | string | $env:TEMP\T1010.exe|
 
 
 #### Attack Commands: Run with `command_prompt`! 

atomics/T1012/T1012.md

@@ -29,6 +29,8 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
 
 
 
+
+
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
 
 

atomics/T1014/T1014.md

@@ -21,6 +21,8 @@ Loadable Kernel Module based Rootkit
 **Supported Platforms:** Linux
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
@@ -48,6 +50,8 @@ Loadable Kernel Module based Rootkit
 **Supported Platforms:** Linux
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
@@ -82,10 +86,12 @@ It would be wise if you only run this in a test environment
 **Supported Platforms:** Windows
 
 
+
+
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys|
+| driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys|
 
 
 #### Attack Commands: Run with `command_prompt`!