From 929d64a1b75c17b8dcfc06ce85f22e58eb2ac241 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Thu, 16 Apr 2026 02:44:12 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/index.yaml | 10 ++++++---- atomics/Indexes/linux-index.yaml | 10 ++++++---- atomics/Indexes/macos-index.yaml | 10 ++++++---- atomics/Indexes/windows-index.yaml | 10 ++++++---- atomics/T1027.013/T1027.013.md | 8 ++++---- 5 files changed, 28 insertions(+), 20 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index f1f07666d..063d1cec0 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -2049,8 +2049,9 @@ defense-evasion: $bytes = [System.Convert]::FromBase64String($encodedString) $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes) #write the decoded eicar string to file - $decodedString | Out-File T1027.013_decodedEicar.txt - cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file. + $decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt + cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction + Ignore name: powershell elevation_required: false - name: Decrypt Eicar File and Write to File @@ -2068,8 +2069,9 @@ defense-evasion: $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt)) #Write the decrypted eicar string to a file - $decryptedString | out-file T1027.013_decryptedEicar.txt - cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file. + $decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt + cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force + -ErrorAction Ignore name: powershell elevation_required: false - name: Password-Protected ZIP Payload Extraction and Execution diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index f9cc0baee..c1f6ae5d5 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -1530,8 +1530,9 @@ defense-evasion: $bytes = [System.Convert]::FromBase64String($encodedString) $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes) #write the decoded eicar string to file - $decodedString | Out-File T1027.013_decodedEicar.txt - cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file. + $decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt + cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction + Ignore name: powershell elevation_required: false - name: Decrypt Eicar File and Write to File @@ -1549,8 +1550,9 @@ defense-evasion: $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt)) #Write the decrypted eicar string to a file - $decryptedString | out-file T1027.013_decryptedEicar.txt - cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file. + $decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt + cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force + -ErrorAction Ignore name: powershell elevation_required: false - name: Password-Protected ZIP Payload Extraction and Execution diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml index 8f5bf427e..978dda2dc 100644 --- a/atomics/Indexes/macos-index.yaml +++ b/atomics/Indexes/macos-index.yaml @@ -1329,8 +1329,9 @@ defense-evasion: $bytes = [System.Convert]::FromBase64String($encodedString) $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes) #write the decoded eicar string to file - $decodedString | Out-File T1027.013_decodedEicar.txt - cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file. + $decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt + cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction + Ignore name: powershell elevation_required: false - name: Decrypt Eicar File and Write to File @@ -1348,8 +1349,9 @@ defense-evasion: $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt)) #Write the decrypted eicar string to a file - $decryptedString | out-file T1027.013_decryptedEicar.txt - cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file. + $decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt + cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force + -ErrorAction Ignore name: powershell elevation_required: false - name: Password-Protected ZIP Payload Extraction and Execution diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 595540ff8..8042ae416 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -1524,8 +1524,9 @@ defense-evasion: $bytes = [System.Convert]::FromBase64String($encodedString) $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes) #write the decoded eicar string to file - $decodedString | Out-File T1027.013_decodedEicar.txt - cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file. + $decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt + cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction + Ignore name: powershell elevation_required: false - name: Decrypt Eicar File and Write to File @@ -1543,8 +1544,9 @@ defense-evasion: $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt)) #Write the decrypted eicar string to a file - $decryptedString | out-file T1027.013_decryptedEicar.txt - cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file. + $decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt + cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force + -ErrorAction Ignore name: powershell elevation_required: false T1014: diff --git a/atomics/T1027.013/T1027.013.md b/atomics/T1027.013/T1027.013.md index 3e6214338..38ffd3912 100644 --- a/atomics/T1027.013/T1027.013.md +++ b/atomics/T1027.013/T1027.013.md @@ -35,13 +35,13 @@ $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVE $bytes = [System.Convert]::FromBase64String($encodedString) $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes) #write the decoded eicar string to file -$decodedString | Out-File T1027.013_decodedEicar.txt +$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt ``` #### Cleanup Commands ```powershell -Just delete the resulting T1027.013_decodedEicar.txt file. +Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction Ignore ``` ### Atomic Test #2: Decrypt Eicar File and Write to File @@ -59,13 +59,13 @@ $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,2 $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt)) #Write the decrypted eicar string to a file -$decryptedString | out-file T1027.013_decryptedEicar.txt +$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt ``` #### Cleanup Commands ```powershell -Just delete the resulting T1027.013_decryptedEicar.txt file. +Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force -ErrorAction Ignore ``` ### Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution