Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1636-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1637-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -860,7 +860,8 @@ privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Star
 privilege-escalation,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 privilege-escalation,T1546,Event Triggered Execution,6,Load custom DLL on mstsc execution,2db7852e-5a32-4ec7-937f-f4e027881700,command_prompt
 privilege-escalation,T1546,Event Triggered Execution,7,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
-privilege-escalation,T1546,Event Triggered Execution,8,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
+privilege-escalation,T1546,Event Triggered Execution,8,Persistence via ErrorHandler.cmd script execution,547a4736-dd1c-4b48-b4fe-e916190bb2e7,powershell
+privilege-escalation,T1546,Event Triggered Execution,9,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
@@ -1229,7 +1230,8 @@ persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process
 persistence,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 persistence,T1546,Event Triggered Execution,6,Load custom DLL on mstsc execution,2db7852e-5a32-4ec7-937f-f4e027881700,command_prompt
 persistence,T1546,Event Triggered Execution,7,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
-persistence,T1546,Event Triggered Execution,8,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
+persistence,T1546,Event Triggered Execution,8,Persistence via ErrorHandler.cmd script execution,547a4736-dd1c-4b48-b4fe-e916190bb2e7,powershell
+persistence,T1546,Event Triggered Execution,9,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -602,7 +602,8 @@ privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Star
 privilege-escalation,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 privilege-escalation,T1546,Event Triggered Execution,6,Load custom DLL on mstsc execution,2db7852e-5a32-4ec7-937f-f4e027881700,command_prompt
 privilege-escalation,T1546,Event Triggered Execution,7,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
-privilege-escalation,T1546,Event Triggered Execution,8,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
+privilege-escalation,T1546,Event Triggered Execution,8,Persistence via ErrorHandler.cmd script execution,547a4736-dd1c-4b48-b4fe-e916190bb2e7,powershell
+privilege-escalation,T1546,Event Triggered Execution,9,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -844,7 +845,8 @@ persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process
 persistence,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 persistence,T1546,Event Triggered Execution,6,Load custom DLL on mstsc execution,2db7852e-5a32-4ec7-937f-f4e027881700,command_prompt
 persistence,T1546,Event Triggered Execution,7,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
-persistence,T1546,Event Triggered Execution,8,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
+persistence,T1546,Event Triggered Execution,8,Persistence via ErrorHandler.cmd script execution,547a4736-dd1c-4b48-b4fe-e916190bb2e7,powershell
+persistence,T1546,Event Triggered Execution,9,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -1133,7 +1133,8 @@
   - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
   - Atomic Test #6: Load custom DLL on mstsc execution [windows]
   - Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session [windows]
-  - Atomic Test #8: Persistence using STARTUP-PATH in MS-WORD [windows]
+  - Atomic Test #8: Persistence via ErrorHandler.cmd script execution [windows]
+  - Atomic Test #9: Persistence using STARTUP-PATH in MS-WORD [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
   - Atomic Test #1: Add command to .bash_profile [macos, linux]
   - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1659,7 +1660,8 @@
   - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
   - Atomic Test #6: Load custom DLL on mstsc execution [windows]
   - Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session [windows]
-  - Atomic Test #8: Persistence using STARTUP-PATH in MS-WORD [windows]
+  - Atomic Test #8: Persistence via ErrorHandler.cmd script execution [windows]
+  - Atomic Test #9: Persistence using STARTUP-PATH in MS-WORD [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
   - Atomic Test #1: Add command to .bash_profile [macos, linux]
   - Atomic Test #2: Add command to .bashrc [macos, linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -810,7 +810,8 @@
   - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
   - Atomic Test #6: Load custom DLL on mstsc execution [windows]
   - Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session [windows]
-  - Atomic Test #8: Persistence using STARTUP-PATH in MS-WORD [windows]
+  - Atomic Test #8: Persistence via ErrorHandler.cmd script execution [windows]
+  - Atomic Test #9: Persistence using STARTUP-PATH in MS-WORD [windows]
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
   - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
@@ -1161,7 +1162,8 @@
   - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
   - Atomic Test #6: Load custom DLL on mstsc execution [windows]
   - Atomic Test #7: Persistence using automatic execution of custom DLL during RDP session [windows]
-  - Atomic Test #8: Persistence using STARTUP-PATH in MS-WORD [windows]
+  - Atomic Test #8: Persistence via ErrorHandler.cmd script execution [windows]
+  - Atomic Test #9: Persistence using STARTUP-PATH in MS-WORD [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
   - Atomic Test #1: Authentication Package [windows]
 - [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)

atomics/Indexes/index.yaml

@@ -45469,6 +45469,31 @@ privilege-escalation:
           Server\AddIns\TestDVCPlugin" /f
         name: command_prompt
         elevation_required: true
+    - name: Persistence via ErrorHandler.cmd script execution
+      auto_generated_guid: 547a4736-dd1c-4b48-b4fe-e916190bb2e7
+      description: |
+        Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory.
+        Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'ErrorHandler.cmd script must exist on disk at specified at PathToAtomicsFolder\T1546\bin\ErrorHandler.cmd
+
+          '
+        prereq_command: 'if (Test-Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd)
+          { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\T1546\\src\\\"
+          -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/src/ErrorHandler.cmd\"
+          -OutFile \"PathToAtomicsFolder\\T1546\\src\\ErrorHandler.cmd\"      \n"
+      executor:
+        command: |
+          Copy-Item -Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd -Destination C:\Windows\Setup\Scripts\ErrorHandler.cmd
+          C:\windows\System32\oobe\Setup
+        cleanup_command: 'Remove-Item C:\Windows\Setup\Scripts\ErrorHandler.cmd      '
+        name: powershell
+        elevation_required: true
     - name: Persistence using STARTUP-PATH in MS-WORD
       auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
       description: |-
@@ -69403,6 +69428,31 @@ persistence:
           Server\AddIns\TestDVCPlugin" /f
         name: command_prompt
         elevation_required: true
+    - name: Persistence via ErrorHandler.cmd script execution
+      auto_generated_guid: 547a4736-dd1c-4b48-b4fe-e916190bb2e7
+      description: |
+        Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory.
+        Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'ErrorHandler.cmd script must exist on disk at specified at PathToAtomicsFolder\T1546\bin\ErrorHandler.cmd
+
+          '
+        prereq_command: 'if (Test-Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd)
+          { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\T1546\\src\\\"
+          -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/src/ErrorHandler.cmd\"
+          -OutFile \"PathToAtomicsFolder\\T1546\\src\\ErrorHandler.cmd\"      \n"
+      executor:
+        command: |
+          Copy-Item -Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd -Destination C:\Windows\Setup\Scripts\ErrorHandler.cmd
+          C:\windows\System32\oobe\Setup
+        cleanup_command: 'Remove-Item C:\Windows\Setup\Scripts\ErrorHandler.cmd      '
+        name: powershell
+        elevation_required: true
     - name: Persistence using STARTUP-PATH in MS-WORD
       auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
       description: |-

atomics/Indexes/windows-index.yaml

@@ -37851,6 +37851,31 @@ privilege-escalation:
           Server\AddIns\TestDVCPlugin" /f
         name: command_prompt
         elevation_required: true
+    - name: Persistence via ErrorHandler.cmd script execution
+      auto_generated_guid: 547a4736-dd1c-4b48-b4fe-e916190bb2e7
+      description: |
+        Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory.
+        Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'ErrorHandler.cmd script must exist on disk at specified at PathToAtomicsFolder\T1546\bin\ErrorHandler.cmd
+
+          '
+        prereq_command: 'if (Test-Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd)
+          { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\T1546\\src\\\"
+          -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/src/ErrorHandler.cmd\"
+          -OutFile \"PathToAtomicsFolder\\T1546\\src\\ErrorHandler.cmd\"      \n"
+      executor:
+        command: |
+          Copy-Item -Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd -Destination C:\Windows\Setup\Scripts\ErrorHandler.cmd
+          C:\windows\System32\oobe\Setup
+        cleanup_command: 'Remove-Item C:\Windows\Setup\Scripts\ErrorHandler.cmd      '
+        name: powershell
+        elevation_required: true
     - name: Persistence using STARTUP-PATH in MS-WORD
       auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
       description: |-
@@ -57437,6 +57462,31 @@ persistence:
           Server\AddIns\TestDVCPlugin" /f
         name: command_prompt
         elevation_required: true
+    - name: Persistence via ErrorHandler.cmd script execution
+      auto_generated_guid: 547a4736-dd1c-4b48-b4fe-e916190bb2e7
+      description: |
+        Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory.
+        Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'ErrorHandler.cmd script must exist on disk at specified at PathToAtomicsFolder\T1546\bin\ErrorHandler.cmd
+
+          '
+        prereq_command: 'if (Test-Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd)
+          { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\T1546\\src\\\"
+          -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/src/ErrorHandler.cmd\"
+          -OutFile \"PathToAtomicsFolder\\T1546\\src\\ErrorHandler.cmd\"      \n"
+      executor:
+        command: |
+          Copy-Item -Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd -Destination C:\Windows\Setup\Scripts\ErrorHandler.cmd
+          C:\windows\System32\oobe\Setup
+        cleanup_command: 'Remove-Item C:\Windows\Setup\Scripts\ErrorHandler.cmd      '
+        name: powershell
+        elevation_required: true
     - name: Persistence using STARTUP-PATH in MS-WORD
       auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
       description: |-

atomics/T1546/T1546.md

@@ -22,7 +22,9 @@ Since the execution can be proxied by an account with higher permissions, such a
 
 - [Atomic Test #7 - Persistence using automatic execution of custom DLL during RDP session](#atomic-test-7---persistence-using-automatic-execution-of-custom-dll-during-rdp-session)
 
-- [Atomic Test #8 - Persistence using STARTUP-PATH in MS-WORD](#atomic-test-8---persistence-using-startup-path-in-ms-word)
+- [Atomic Test #8 - Persistence via ErrorHandler.cmd script execution](#atomic-test-8---persistence-via-errorhandlercmd-script-execution)
+
+- [Atomic Test #9 - Persistence using STARTUP-PATH in MS-WORD](#atomic-test-9---persistence-using-startup-path-in-ms-word)
 
 
 <br/>
@@ -319,7 +321,54 @@ reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVC
 <br/>
 <br/>
 
-## Atomic Test #8 - Persistence using STARTUP-PATH in MS-WORD
+## Atomic Test #8 - Persistence via ErrorHandler.cmd script execution
+Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory.
+Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 547a4736-dd1c-4b48-b4fe-e916190bb2e7
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Copy-Item -Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd -Destination C:\Windows\Setup\Scripts\ErrorHandler.cmd
+C:\windows\System32\oobe\Setup
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item C:\Windows\Setup\Scripts\ErrorHandler.cmd
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: ErrorHandler.cmd script must exist on disk at specified at PathToAtomicsFolder\T1546\bin\ErrorHandler.cmd
+##### Check Prereq Commands:
+```powershell
+if (Test-Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd) { exit 0} else { exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\T1546\src\" -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/src/ErrorHandler.cmd" -OutFile "PathToAtomicsFolder\T1546\src\ErrorHandler.cmd"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Persistence using STARTUP-PATH in MS-WORD
 When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH and if it exists,
 it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
 The registry key can be abused to load malware from the mentioned path. Reboot might be required.

atomics/T1546/T1546.yaml

@@ -170,6 +170,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 - name: Persistence via ErrorHandler.cmd script execution
+  auto_generated_guid: 547a4736-dd1c-4b48-b4fe-e916190bb2e7
   description: |
     Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory.
     Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad.

atomics/used_guids.txt

@@ -1675,3 +1675,4 @@ fe53e878-10a3-477b-963e-4367348f5af5
 552b4db3-8850-412c-abce-ab5cc8a86604
 e184b6bd-fb28-48aa-9a59-13012e33d7dc
 be8f4019-d8b6-434c-a814-53123cdcc11e
+547a4736-dd1c-4b48-b4fe-e916190bb2e7