Skip to content

Commit

Permalink
Generated docs from job=generate-docs branch=master [ci skip]
Browse files Browse the repository at this point in the history
Atomic Red Team doc generator committed Oct 12, 2023
1 parent e73dea5 commit c98b35d
Showing 4 changed files with 54 additions and 13 deletions.
23 changes: 18 additions & 5 deletions atomics/Indexes/index.yaml
Original file line number Diff line number Diff line change
@@ -22991,10 +22991,22 @@ defense-evasion:
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Wscript file to execute must exist on disk

'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs")
{exit 0} else {exit 1}

'
get_prereq_command: |
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
executor:
command: |
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe /B
cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1

'
@@ -23046,7 +23058,8 @@ defense-evasion:
executor:
command: |
copy "#{inputfile}" #{outputfile}
$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
try { $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id }
catch { $_; exit $_.Exception.HResult}
Stop-Process -ID $myT1036_003
cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore

@@ -103492,9 +103505,9 @@ discovery:
executor:
name: powershell
elevation_required: false
command: 'get-wmiobject -class ds_computer -namespace root\directory\ldap

'
command: |
try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }
- name: Remote System Discovery - net group Domain Controller
auto_generated_guid: 5843529a-5056-4bc1-9c13-a311e2af4ca0
description: |
23 changes: 18 additions & 5 deletions atomics/Indexes/windows-index.yaml
Original file line number Diff line number Diff line change
@@ -19788,10 +19788,22 @@ defense-evasion:
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Wscript file to execute must exist on disk

'
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs")
{exit 0} else {exit 1}

'
get_prereq_command: |
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
executor:
command: |
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe /B
cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1

'
@@ -19843,7 +19855,8 @@ defense-evasion:
executor:
command: |
copy "#{inputfile}" #{outputfile}
$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
try { $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id }
catch { $_; exit $_.Exception.HResult}
Stop-Process -ID $myT1036_003
cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore

@@ -88397,9 +88410,9 @@ discovery:
executor:
name: powershell
elevation_required: false
command: 'get-wmiobject -class ds_computer -namespace root\directory\ldap

'
command: |
try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }
- name: Remote System Discovery - net group Domain Controller
auto_generated_guid: 5843529a-5056-4bc1-9c13-a311e2af4ca0
description: |
3 changes: 2 additions & 1 deletion atomics/T1018/T1018.md
Original file line number Diff line number Diff line change
@@ -757,7 +757,8 @@ Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershe


```powershell
get-wmiobject -class ds_computer -namespace root\directory\ldap
try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }
```


18 changes: 16 additions & 2 deletions atomics/T1036.003/T1036.003.md
Original file line number Diff line number Diff line change
@@ -150,7 +150,7 @@ Upon execution, no windows will remain open but wscript will have been renamed t

```cmd
copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe /B
cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
```

#### Cleanup Commands:
@@ -160,6 +160,19 @@ del /Q /F %APPDATA%\svchost.exe >nul 2>&1



#### Dependencies: Run with `powershell`!
##### Description: Wscript file to execute must exist on disk
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
```




<br/>
@@ -226,7 +239,8 @@ Upon successful execution, powershell will execute T1036.003.exe as svchost.exe

```powershell
copy "#{inputfile}" #{outputfile}
$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
try { $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id }
catch { $_; exit $_.Exception.HResult}
Stop-Process -ID $myT1036_003
```

0 comments on commit c98b35d

Please sign in to comment.