Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1618-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1619-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -687,6 +687,7 @@ privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
+privilege-escalation,T1547,Boot or Logon Autostart Execution,2,Driver Installation Using pnputil.exe,5cb0b071-8a5a-412f-839d-116beb2ed9f7,powershell
 privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
 privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
 privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
@@ -1056,6 +1057,7 @@ persistence,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
+persistence,T1547,Boot or Logon Autostart Execution,2,Driver Installation Using pnputil.exe,5cb0b071-8a5a-412f-839d-116beb2ed9f7,powershell
 persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
 persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
 persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -480,6 +480,7 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
+privilege-escalation,T1547,Boot or Logon Autostart Execution,2,Driver Installation Using pnputil.exe,5cb0b071-8a5a-412f-839d-116beb2ed9f7,powershell
 privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
 privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
 privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
@@ -722,6 +723,7 @@ persistence,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
+persistence,T1547,Boot or Logon Autostart Execution,2,Driver Installation Using pnputil.exe,5cb0b071-8a5a-412f-839d-116beb2ed9f7,powershell
 persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
 persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
 persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -900,6 +900,7 @@
   - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
   - Atomic Test #1: Add a driver [windows]
+  - Atomic Test #2: Driver Installation Using pnputil.exe [windows]
 - [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
   - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
   - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
@@ -1419,6 +1420,7 @@
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
   - Atomic Test #1: Add a driver [windows]
+  - Atomic Test #2: Driver Installation Using pnputil.exe [windows]
 - [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
   - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
   - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -645,6 +645,7 @@
   - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
   - Atomic Test #1: Add a driver [windows]
+  - Atomic Test #2: Driver Installation Using pnputil.exe [windows]
 - [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
   - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
   - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
@@ -990,6 +991,7 @@
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
   - Atomic Test #1: Add a driver [windows]
+  - Atomic Test #2: Driver Installation Using pnputil.exe [windows]
 - [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
   - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
   - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]

atomics/Indexes/index.yaml

@@ -34692,6 +34692,25 @@ privilege-escalation:
 
           '
         name: command_prompt
+    - name: Driver Installation Using pnputil.exe
+      auto_generated_guid: 5cb0b071-8a5a-412f-839d-116beb2ed9f7
+      description: 'pnputil.exe is a native command-line utility in Windows to install
+        drivers, this can be abused by to install malicious drivers. Ref: https://lolbas-project.github.io/lolbas/Binaries/Pnputil/
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        driver_path:
+          description: Enter the driver file path to install (Default is used built-in
+            windows driver - acpipmi.inf)
+          type: path
+          default: C:\Windows\INF\acpipmi.inf
+      executor:
+        command: 'pnputil.exe -i -a #{driver_path}
+
+          '
+        name: powershell
   T1547.014:
     technique:
       modified: '2023-05-09T14:00:00.188Z'
@@ -58303,6 +58322,25 @@ persistence:
 
           '
         name: command_prompt
+    - name: Driver Installation Using pnputil.exe
+      auto_generated_guid: 5cb0b071-8a5a-412f-839d-116beb2ed9f7
+      description: 'pnputil.exe is a native command-line utility in Windows to install
+        drivers, this can be abused by to install malicious drivers. Ref: https://lolbas-project.github.io/lolbas/Binaries/Pnputil/
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        driver_path:
+          description: Enter the driver file path to install (Default is used built-in
+            windows driver - acpipmi.inf)
+          type: path
+          default: C:\Windows\INF\acpipmi.inf
+      executor:
+        command: 'pnputil.exe -i -a #{driver_path}
+
+          '
+        name: powershell
   T1547.014:
     technique:
       modified: '2023-05-09T14:00:00.188Z'

atomics/Indexes/windows-index.yaml

@@ -29093,6 +29093,25 @@ privilege-escalation:
 
           '
         name: command_prompt
+    - name: Driver Installation Using pnputil.exe
+      auto_generated_guid: 5cb0b071-8a5a-412f-839d-116beb2ed9f7
+      description: 'pnputil.exe is a native command-line utility in Windows to install
+        drivers, this can be abused by to install malicious drivers. Ref: https://lolbas-project.github.io/lolbas/Binaries/Pnputil/
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        driver_path:
+          description: Enter the driver file path to install (Default is used built-in
+            windows driver - acpipmi.inf)
+          type: path
+          default: C:\Windows\INF\acpipmi.inf
+      executor:
+        command: 'pnputil.exe -i -a #{driver_path}
+
+          '
+        name: powershell
   T1547.014:
     technique:
       modified: '2023-05-09T14:00:00.188Z'
@@ -48308,6 +48327,25 @@ persistence:
 
           '
         name: command_prompt
+    - name: Driver Installation Using pnputil.exe
+      auto_generated_guid: 5cb0b071-8a5a-412f-839d-116beb2ed9f7
+      description: 'pnputil.exe is a native command-line utility in Windows to install
+        drivers, this can be abused by to install malicious drivers. Ref: https://lolbas-project.github.io/lolbas/Binaries/Pnputil/
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        driver_path:
+          description: Enter the driver file path to install (Default is used built-in
+            windows driver - acpipmi.inf)
+          type: path
+          default: C:\Windows\INF\acpipmi.inf
+      executor:
+        command: 'pnputil.exe -i -a #{driver_path}
+
+          '
+        name: powershell
   T1547.014:
     technique:
       modified: '2023-05-09T14:00:00.188Z'

atomics/T1547/T1547.md

@@ -8,6 +8,8 @@ Since some boot or logon autostart programs run with higher privileges, an adver
 
 - [Atomic Test #1 - Add a driver](#atomic-test-1---add-a-driver)
 
+- [Atomic Test #2 - Driver Installation Using pnputil.exe](#atomic-test-2---driver-installation-using-pnputilexe)
+
 
 <br/>
 
@@ -41,4 +43,37 @@ pnputil.exe /add-driver "#{driver_inf}"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Driver Installation Using pnputil.exe
+pnputil.exe is a native command-line utility in Windows to install drivers, this can be abused by to install malicious drivers. Ref: https://lolbas-project.github.io/lolbas/Binaries/Pnputil/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5cb0b071-8a5a-412f-839d-116beb2ed9f7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| driver_path | Enter the driver file path to install (Default is used built-in windows driver - acpipmi.inf) | path | C:&#92;Windows&#92;INF&#92;acpipmi.inf|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+pnputil.exe -i -a #{driver_path}
+```
+
+
+
+
+
+
 <br/>

atomics/T1547/T1547.yaml

@@ -18,6 +18,7 @@ atomic_tests:
     name: command_prompt
 
 - name: Driver Installation Using pnputil.exe
+  auto_generated_guid: 5cb0b071-8a5a-412f-839d-116beb2ed9f7
   description: |
     pnputil.exe is a native command-line utility in Windows to install drivers, this can be abused by to install malicious drivers. Ref: https://lolbas-project.github.io/lolbas/Binaries/Pnputil/
   supported_platforms:

atomics/used_guids.txt

@@ -1657,3 +1657,4 @@ f2915249-4485-42e2-96b7-9bf34328d497
 7816c252-b728-4ea6-a683-bd9441ca0b71
 74094120-e1f5-47c9-b162-a418a0f624d5
 cfe6315c-4945-40f7-b5a4-48f7af2262af
+5cb0b071-8a5a-412f-839d-116beb2ed9f7