Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1105/T1105.md

@@ -22,6 +22,8 @@ Adversaries may also copy files laterally between internal victim systems to sup
 
 - [Atomic Test #8 - certutil download (verifyctl)](#atomic-test-8---certutil-download-verifyctl)
 
+- [Atomic Test #9 - Windows - BITSAdmin BITS Download](#atomic-test-9---windows---bitsadmin-bits-download)
+
 
 <br/>
 
@@ -191,3 +193,24 @@ certutil -verifyctl -split -f #{remote_file}
 Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
 ```
 <br/>
+<br/>
+
+## Atomic Test #9 - Windows - BITSAdmin BITS Download
+This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
+This technique is used by Qbot malware to download payloads.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| bits_job_name | Name of the created BITS job | String | qcxjb7|
+| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
+| local_path | Local path to place file | Path | Atomic-license.txt|
+
+#### Run it with `command_prompt`!
+```
+C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
+```
+<br/>

atomics/index.md

@@ -668,6 +668,7 @@
   - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
   - Atomic Test #7: certutil download (urlcache) [windows]
   - Atomic Test #8: certutil download (verifyctl) [windows]
+  - Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
 - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -767,6 +768,7 @@
   - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
   - Atomic Test #7: certutil download (urlcache) [windows]
   - Atomic Test #8: certutil download (verifyctl) [windows]
+  - Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
 - [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
   - Atomic Test #1: Malicious User Agents [windows]
   - Atomic Test #2: Malicious User Agents - Nix [linux, macos]

atomics/index.yaml

@@ -19037,6 +19037,29 @@ lateral-movement:
           Set-Location $datePath
           certutil -verifyctl -split -f #{remote_file}
           Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
+    - name: Windows - BITSAdmin BITS Download
+      description: |
+        This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
+        This technique is used by Qbot malware to download payloads.
+      supported_platforms:
+      - windows
+      input_arguments:
+        bits_job_name:
+          description: Name of the created BITS job
+          type: String
+          default: qcxjb7
+        remote_file:
+          description: URL of file to copy
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        local_path:
+          description: Local path to place file
+          type: Path
+          default: Atomic-license.txt
+      executor:
+        name: command_prompt
+        command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority
+          HIGH #{remote_file} #{local_path}'
   T1077:
     technique:
       external_references:
@@ -20959,6 +20982,29 @@ command-and-control:
           Set-Location $datePath
           certutil -verifyctl -split -f #{remote_file}
           Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
+    - name: Windows - BITSAdmin BITS Download
+      description: |
+        This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
+        This technique is used by Qbot malware to download payloads.
+      supported_platforms:
+      - windows
+      input_arguments:
+        bits_job_name:
+          description: Name of the created BITS job
+          type: String
+          default: qcxjb7
+        remote_file:
+          description: URL of file to copy
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        local_path:
+          description: Local path to place file
+          type: Path
+          default: Atomic-license.txt
+      executor:
+        name: command_prompt
+        command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority
+          HIGH #{remote_file} #{local_path}'
   T1071:
     technique:
       external_references:

atomics/windows-index.md

@@ -387,6 +387,7 @@
 - [T1105 Remote File Copy](./T1105/T1105.md)
   - Atomic Test #7: certutil download (urlcache) [windows]
   - Atomic Test #8: certutil download (verifyctl) [windows]
+  - Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
 - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -538,6 +539,7 @@
 - [T1105 Remote File Copy](./T1105/T1105.md)
   - Atomic Test #7: certutil download (urlcache) [windows]
   - Atomic Test #8: certutil download (verifyctl) [windows]
+  - Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
 - [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
   - Atomic Test #1: Malicious User Agents [windows]
 - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)