Generated docs from job=generate-docs branch=master [ci skip]

redcanaryco · Jul 24, 2024 · 9418990 · 9418990
1 parent ba841eb
commit 9418990
Show file tree

Hide file tree

Showing 12 changed files with 184 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1616-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1618-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1786,6 +1786,8 @@ discovery,T1217,Browser Bookmark Discovery,6,List Google Chrome / Edge Chromium
 discovery,T1217,Browser Bookmark Discovery,7,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
 discovery,T1217,Browser Bookmark Discovery,8,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
 discovery,T1217,Browser Bookmark Discovery,9,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
+discovery,T1217,Browser Bookmark Discovery,10,Extract Edge Browsing History,74094120-e1f5-47c9-b162-a418a0f624d5,powershell
+discovery,T1217,Browser Bookmark Discovery,11,Extract chrome Browsing History,cfe6315c-4945-40f7-b5a4-48f7af2262af,powershell
 discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
 discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh

diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -1194,6 +1194,8 @@ discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Opera Bookmark
 discovery,T1217,Browser Bookmark Discovery,6,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
 discovery,T1217,Browser Bookmark Discovery,7,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
 discovery,T1217,Browser Bookmark Discovery,8,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
+discovery,T1217,Browser Bookmark Discovery,10,Extract Edge Browsing History,74094120-e1f5-47c9-b162-a418a0f624d5,powershell
+discovery,T1217,Browser Bookmark Discovery,11,Extract chrome Browsing History,cfe6315c-4945-40f7-b5a4-48f7af2262af,powershell
 discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
 discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt

diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
@@ -2451,6 +2451,8 @@
   - Atomic Test #7: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
   - Atomic Test #8: List Internet Explorer Bookmarks using the command prompt [windows]
   - Atomic Test #9: List Safari Bookmarks on MacOS [macos]
+  - Atomic Test #10: Extract Edge Browsing History [windows]
+  - Atomic Test #11: Extract chrome Browsing History [windows]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
   - Atomic Test #1: System Network Configuration Discovery on Windows [windows]
   - Atomic Test #2: List Windows Firewall Rules [windows]

diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1707,6 +1707,8 @@
   - Atomic Test #6: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
   - Atomic Test #7: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
   - Atomic Test #8: List Internet Explorer Bookmarks using the command prompt [windows]
+  - Atomic Test #10: Extract Edge Browsing History [windows]
+  - Atomic Test #11: Extract chrome Browsing History [windows]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
   - Atomic Test #1: System Network Configuration Discovery on Windows [windows]
   - Atomic Test #2: List Windows Firewall Rules [windows]

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -101936,6 +101936,51 @@ discovery:
 
           '
         name: sh
+    - name: Extract Edge Browsing History
+      auto_generated_guid: 74094120-e1f5-47c9-b162-a418a0f624d5
+      description: 'This test will extract Microsoft Edge browser''s history of current
+        user
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        history_path:
+          description: Microsoft Edge browser history file path
+          type: String
+          default: "$Env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\History"
+        dest_path:
+          description: Target file path to where the history to be extracted
+          type: String
+          default: "$Env:USERPROFILE\\Downloads\\edgebrowsinghistory.txt"
+      executor:
+        command: |
+          $URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
+          $History = Get-Content -Path "#{history_path}" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
+          $History | Out-File -FilePath "#{dest_path}"
+        cleanup_command: 'Remove-Item -Path "#{dest_path}"
+
+          '
+        name: powershell
+        elevation_required: true
+    - name: Extract chrome Browsing History
+      auto_generated_guid: cfe6315c-4945-40f7-b5a4-48f7af2262af
+      description: 'This test will extract browsing history of the chrome user
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $Username = (whoami).Split('\')[1]
+          $URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
+          $History = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
+          $History | Out-File -FilePath "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"
+        cleanup_command: 'Remove-Item -Path "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"
+
+          '
+        name: powershell
+        elevation_required: true
   T1016:
     technique:
       modified: '2023-07-28T14:40:54.580Z'

diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
@@ -83408,6 +83408,51 @@ discovery:
 
           '
         name: command_prompt
+    - name: Extract Edge Browsing History
+      auto_generated_guid: 74094120-e1f5-47c9-b162-a418a0f624d5
+      description: 'This test will extract Microsoft Edge browser''s history of current
+        user
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        history_path:
+          description: Microsoft Edge browser history file path
+          type: String
+          default: "$Env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\\History"
+        dest_path:
+          description: Target file path to where the history to be extracted
+          type: String
+          default: "$Env:USERPROFILE\\Downloads\\edgebrowsinghistory.txt"
+      executor:
+        command: |
+          $URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
+          $History = Get-Content -Path "#{history_path}" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
+          $History | Out-File -FilePath "#{dest_path}"
+        cleanup_command: 'Remove-Item -Path "#{dest_path}"
+
+          '
+        name: powershell
+        elevation_required: true
+    - name: Extract chrome Browsing History
+      auto_generated_guid: cfe6315c-4945-40f7-b5a4-48f7af2262af
+      description: 'This test will extract browsing history of the chrome user
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $Username = (whoami).Split('\')[1]
+          $URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
+          $History = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
+          $History | Out-File -FilePath "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"
+        cleanup_command: 'Remove-Item -Path "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"
+
+          '
+        name: powershell
+        elevation_required: true
   T1016:
     technique:
       modified: '2023-07-28T14:40:54.580Z'

diff --git a/atomics/T1217/T1217.md b/atomics/T1217/T1217.md
@@ -26,6 +26,10 @@ Specific storage locations vary based on platform and/or application, but browse
 
 - [Atomic Test #9 - List Safari Bookmarks on MacOS](#atomic-test-9---list-safari-bookmarks-on-macos)
 
+- [Atomic Test #10 - Extract Edge Browsing History](#atomic-test-10---extract-edge-browsing-history)
+
+- [Atomic Test #11 - Extract chrome Browsing History](#atomic-test-11---extract-chrome-browsing-history)
+
 
 <br/>
 
@@ -331,4 +335,79 @@ rm -f #{output_file} 2>/dev/null
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - Extract Edge Browsing History
+This test will extract Microsoft Edge browser's history of current user
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 74094120-e1f5-47c9-b162-a418a0f624d5
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| history_path | Microsoft Edge browser history file path | String | $Env:LOCALAPPDATA&#92;Microsoft&#92;Edge&#92;User Data&#92;Default&#92;History|
+| dest_path | Target file path to where the history to be extracted | String | $Env:USERPROFILE&#92;Downloads&#92;edgebrowsinghistory.txt|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
+$History = Get-Content -Path "#{history_path}" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
+$History | Out-File -FilePath "#{dest_path}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "#{dest_path}"
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Extract chrome Browsing History
+This test will extract browsing history of the chrome user
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cfe6315c-4945-40f7-b5a4-48f7af2262af
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$Username = (whoami).Split('\')[1]
+$URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
+$History = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
+$History | Out-File -FilePath "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1217/T1217.yaml b/atomics/T1217/T1217.yaml
@@ -135,6 +135,7 @@ atomic_tests:
     name: sh
 
 - name: Extract Edge Browsing History
+  auto_generated_guid: 74094120-e1f5-47c9-b162-a418a0f624d5
   description: |
     This test will extract Microsoft Edge browser's history of current user
   supported_platforms:
@@ -159,6 +160,7 @@ atomic_tests:
     elevation_required: true
 
 - name: Extract chrome Browsing History
+  auto_generated_guid: cfe6315c-4945-40f7-b5a4-48f7af2262af
   description: |
     This test will extract browsing history of the chrome user
   supported_platforms:

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
@@ -1655,3 +1655,5 @@ f2915249-4485-42e2-96b7-9bf34328d497
 004a5d68-627b-452d-af3d-43bd1fc75a3b
 573d15da-c34e-4c59-a7d2-18f20d92dfa3
 7816c252-b728-4ea6-a683-bd9441ca0b71
+74094120-e1f5-47c9-b162-a418a0f624d5
+cfe6315c-4945-40f7-b5a4-48f7af2262af