Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -1294,6 +1294,7 @@ command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,b
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
+reconnaissance,T1592.002,Software,1,Enumerate COM Objects with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
 impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -2176,7 +2176,8 @@
 - T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1597 Search Closed Sources [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1592.003 Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1592.002 Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1592.002 Software](../../T1592.002/T1592.002.md)
+  - Atomic Test #1: Enumerate COM Objects with Powershell [windows]
 - T1593.001 Social Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1589.001 Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1595.003 Wordlist Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -94421,7 +94421,35 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-    atomic_tests: []
+      identifier: T1592.002
+    atomic_tests:
+    - name: Enumerate COM Objects with Powershell
+      auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
+      description: "This test is designed to enumerate the COM objects listed in HKCR,
+        then output their methods and CLSIDs to a text file.\nAn adversary could then
+        use this information to identify COM objects that might be vulnerable to abuse,
+        such as using them to spawn arbitrary processes. \nSee: https://www.mandiant.com/resources/hunting-com-objects"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_file:
+          description: File to output list of COM objects to
+          type: String
+          default: "$env:temp\\T1592.002Test1.txt"
+      executor:
+        command: |
+          New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
+          Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
+          ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
+          {try{write-output "$($Position)-$($CLSID)"
+          write-output "------------"| out-file #{output_file} -append
+          write-output $($CLSID)| out-file #{output_file} -append
+          $handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
+          $handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
+          $position += 1} catch{}}
+        cleanup_command: "remove-item #{output_file} -force -erroraction silentlycontinue\nremove-item
+          $env:temp\\clsids.txt -force -erroraction silentlycontinue      \n"
+        name: powershell
   T1593.001:
     technique:
       x_mitre_platforms:

atomics/T1592.002/T1592.002.md

@@ -0,0 +1,59 @@
+# T1592.002 - Software
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1592/002)
+<blockquote>Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
+
+Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Enumerate COM Objects with Powershell](#atomic-test-1---enumerate-com-objects-with-powershell)
+
+
+<br/>
+
+## Atomic Test #1 - Enumerate COM Objects with Powershell
+This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
+An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. 
+See: https://www.mandiant.com/resources/hunting-com-objects
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0d80d088-a84c-4353-af1a-fc8b439f1564
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | File to output list of COM objects to | String | $env:temp&#92;T1592.002Test1.txt|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
+Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
+ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
+{try{write-output "$($Position)-$($CLSID)"
+write-output "------------"| out-file #{output_file} -append
+write-output $($CLSID)| out-file #{output_file} -append
+$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
+$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
+$position += 1} catch{}}
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item #{output_file} -force -erroraction silentlycontinue
+remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue
+```
+
+
+
+
+
+<br/>