Generated docs from job=generate-docs branch=master [ci skip]

redcanaryco · Oct 25, 2024 · 487dd6f · 487dd6f
1 parent d93cb37
commit 487dd6f
Show file tree

Hide file tree

Showing 12 changed files with 67 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1655-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1656-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1912,6 +1912,7 @@ discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1012,Query Registry,4,Reg query for AlwaysInstallElevated status,6fb4c4c5-f949-4fd2-8af5-ddbc61595223,command_prompt
 discovery,T1012,Query Registry,5,Check Software Inventory Logging (SIL) status via Registry,5c784969-1d43-4ac7-8c3d-ed6d025ed10d,command_prompt
+discovery,T1012,Query Registry,6,Inspect SystemStartOptions Value in Registry,96257079-cdc1-4aba-8705-3146e94b6dce,command_prompt
 discovery,T1614,System Location Discovery,1,Get geolocation info through IP-Lookup services using curl Windows,fe53e878-10a3-477b-963e-4367348f5af5,command_prompt
 discovery,T1614,System Location Discovery,2,"Get geolocation info through IP-Lookup services using curl freebsd, linux or macos",552b4db3-8850-412c-abce-ab5cc8a86604,bash
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt

diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -1292,6 +1292,7 @@ discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1012,Query Registry,4,Reg query for AlwaysInstallElevated status,6fb4c4c5-f949-4fd2-8af5-ddbc61595223,command_prompt
 discovery,T1012,Query Registry,5,Check Software Inventory Logging (SIL) status via Registry,5c784969-1d43-4ac7-8c3d-ed6d025ed10d,command_prompt
+discovery,T1012,Query Registry,6,Inspect SystemStartOptions Value in Registry,96257079-cdc1-4aba-8705-3146e94b6dce,command_prompt
 discovery,T1614,System Location Discovery,1,Get geolocation info through IP-Lookup services using curl Windows,fe53e878-10a3-477b-963e-4367348f5af5,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell

diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
@@ -2592,6 +2592,7 @@
   - Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
   - Atomic Test #4: Reg query for AlwaysInstallElevated status [windows]
   - Atomic Test #5: Check Software Inventory Logging (SIL) status via Registry [windows]
+  - Atomic Test #6: Inspect SystemStartOptions Value in Registry [windows]
 - [T1614 System Location Discovery](../../T1614/T1614.md)
   - Atomic Test #1: Get geolocation info through IP-Lookup services using curl Windows [windows]
   - Atomic Test #2: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos [macos, linux]

diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1818,6 +1818,7 @@
   - Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
   - Atomic Test #4: Reg query for AlwaysInstallElevated status [windows]
   - Atomic Test #5: Check Software Inventory Logging (SIL) status via Registry [windows]
+  - Atomic Test #6: Inspect SystemStartOptions Value in Registry [windows]
 - [T1614 System Location Discovery](../../T1614/T1614.md)
   - Atomic Test #1: Get geolocation info through IP-Lookup services using curl Windows [windows]
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -105796,6 +105796,20 @@ discovery:
           '
         name: command_prompt
         elevation_required: true
+    - name: Inspect SystemStartOptions Value in Registry
+      auto_generated_guid: 96257079-cdc1-4aba-8705-3146e94b6dce
+      description: The objective of this test is to query the SystemStartOptions key
+        under HKLM\SYSTEM\CurrentControlSet\Control in the Windows registry. This
+        action could be used to uncover specific details about how the system is configured
+        to start, potentially aiding in understanding boot parameters or identifying
+        security-related settings. key is.
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        command: 'reg.exe query HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions
+
+          '
   T1614:
     technique:
       x_mitre_platforms:

diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
@@ -86583,6 +86583,20 @@ discovery:
           '
         name: command_prompt
         elevation_required: true
+    - name: Inspect SystemStartOptions Value in Registry
+      auto_generated_guid: 96257079-cdc1-4aba-8705-3146e94b6dce
+      description: The objective of this test is to query the SystemStartOptions key
+        under HKLM\SYSTEM\CurrentControlSet\Control in the Windows registry. This
+        action could be used to uncover specific details about how the system is configured
+        to start, potentially aiding in understanding boot parameters or identifying
+        security-related settings. key is.
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        command: 'reg.exe query HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions
+
+          '
   T1614:
     technique:
       x_mitre_platforms:

diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md
@@ -16,6 +16,8 @@ The Registry contains a significant amount of information about the operating sy
 
 - [Atomic Test #5 - Check Software Inventory Logging (SIL) status via Registry](#atomic-test-5---check-software-inventory-logging-sil-status-via-registry)
 
+- [Atomic Test #6 - Inspect SystemStartOptions Value in Registry](#atomic-test-6---inspect-systemstartoptions-value-in-registry)
+
 
 <br/>
 
@@ -229,4 +231,32 @@ reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collec
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Inspect SystemStartOptions Value in Registry
+The objective of this test is to query the SystemStartOptions key under HKLM\SYSTEM\CurrentControlSet\Control in the Windows registry. This action could be used to uncover specific details about how the system is configured to start, potentially aiding in understanding boot parameters or identifying security-related settings. key is.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 96257079-cdc1-4aba-8705-3146e94b6dce
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg.exe query HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1012/T1012.yaml b/atomics/T1012/T1012.yaml
@@ -127,6 +127,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 - name: Inspect SystemStartOptions Value in Registry
+  auto_generated_guid: 96257079-cdc1-4aba-8705-3146e94b6dce
   description: The objective of this test is to query the SystemStartOptions key under HKLM\SYSTEM\CurrentControlSet\Control in the Windows registry. This action could be used to uncover specific details about how the system is configured to start, potentially aiding in understanding boot parameters or identifying security-related settings.
     key is.
   supported_platforms:

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
@@ -1684,3 +1684,4 @@ ad4b73c2-d6e2-4d8b-9868-4c6f55906e01
 f6ecb109-df24-4303-8d85-1987dbae6160
 7161b085-816a-491f-bab4-d68e974b7995
 51f17016-d8fa-4360-888a-df4bf92c4a04
+96257079-cdc1-4aba-8705-3146e94b6dce