Generated docs from job=generate-docs branch=master [ci skip]

redcanaryco · Oct 10, 2023 · 3625d11 · 3625d11
1 parent 07da073
commit 3625d11
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 10 deletions.
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
@@ -751,7 +751,7 @@ execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b
 execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
 execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
 execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
-execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,powershell
+execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,command_prompt
 execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
 execution,T1059.007,Command and Scripting Interpreter: JavaScript,1,JScript execution to gather local computer information via cscript,01d75adf-ca1b-4dd1-ac96-7c9550ad1035,command_prompt
 execution,T1059.007,Command and Scripting Interpreter: JavaScript,2,JScript execution to gather local computer information via wscript,0709945e-4fec-4c49-9faf-c3c292a74484,command_prompt

diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -524,7 +524,7 @@ execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b
 execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
 execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
 execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
-execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,powershell
+execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,command_prompt
 execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
 execution,T1059.007,Command and Scripting Interpreter: JavaScript,1,JScript execution to gather local computer information via cscript,01d75adf-ca1b-4dd1-ac96-7c9550ad1035,command_prompt
 execution,T1059.007,Command and Scripting Interpreter: JavaScript,2,JScript execution to gather local computer information via wscript,0709945e-4fec-4c49-9faf-c3c292a74484,command_prompt

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -47428,12 +47428,12 @@ execution:
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
           Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}"
       executor:
-        command: 'wmic /node:#{node} process call create "rundll32.exe "#{dll_to_execute}"
+        command: 'wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\"
           #{function_to_execute}"
 
           '
         cleanup_command: taskkill /f /im calculator.exe
-        name: powershell
+        name: command_prompt
     - name: Application uninstall using WMIC
       auto_generated_guid: c510d25b-1667-467d-8331-a56d3e9bc4ff
       description: Emulates uninstalling  applications using WMIC.  This method only

diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
@@ -40973,12 +40973,12 @@ execution:
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
           Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}"
       executor:
-        command: 'wmic /node:#{node} process call create "rundll32.exe "#{dll_to_execute}"
+        command: 'wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\"
           #{function_to_execute}"
 
           '
         cleanup_command: taskkill /f /im calculator.exe
-        name: powershell
+        name: command_prompt
     - name: Application uninstall using WMIC
       auto_generated_guid: c510d25b-1667-467d-8331-a56d3e9bc4ff
       description: Emulates uninstalling  applications using WMIC.  This method only

diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md
@@ -331,15 +331,15 @@ This test uses wmic.exe to execute a DLL function using rundll32. Specify a vali
 | function_to_execute | Name of DLL function to call | string | StartW|
 
 
-#### Attack Commands: Run with `powershell`! 
+#### Attack Commands: Run with `command_prompt`! 
 
 
-```powershell
-wmic /node:#{node} process call create "rundll32.exe "#{dll_to_execute}" #{function_to_execute}"
+```cmd
+wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"
 ```
 
 #### Cleanup Commands:
-```powershell
+```cmd
 taskkill /f /im calculator.exe
 ```