From 06ea87f94fece51232b2b1bd3cdb9f918c585557 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 2 Jul 2020 23:17:39 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-3 --- atomics/Indexes/index.yaml | 18 +++++++++--------- atomics/T1574.010/T1574.010.md | 6 +++--- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b5837c12..5e3d65fa 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -6269,8 +6269,8 @@ privilege-escalation: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify - the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows input_arguments: @@ -6281,7 +6281,7 @@ privilege-escalation: weak_permission_file: description: check weak files permission type: path - default: "$env:TEMP\\ T1574.010_weak_permission_file.txt" + default: "$env:TEMP\\T1574.010_weak_permission_file.txt" dependency_executor_name: powershell dependencies: - description: A file must exist on disk at specified location (#{weak_permission_file}) @@ -14327,8 +14327,8 @@ persistence: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify - the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows input_arguments: @@ -14339,7 +14339,7 @@ persistence: weak_permission_file: description: check weak files permission type: path - default: "$env:TEMP\\ T1574.010_weak_permission_file.txt" + default: "$env:TEMP\\T1574.010_weak_permission_file.txt" dependency_executor_name: powershell dependencies: - description: A file must exist on disk at specified location (#{weak_permission_file}) @@ -30291,8 +30291,8 @@ defense-evasion: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify - the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows input_arguments: @@ -30303,7 +30303,7 @@ defense-evasion: weak_permission_file: description: check weak files permission type: path - default: "$env:TEMP\\ T1574.010_weak_permission_file.txt" + default: "$env:TEMP\\T1574.010_weak_permission_file.txt" dependency_executor_name: powershell dependencies: - description: A file must exist on disk at specified location (#{weak_permission_file}) diff --git a/atomics/T1574.010/T1574.010.md b/atomics/T1574.010/T1574.010.md index c30331e1..be813ba4 100644 --- a/atomics/T1574.010/T1574.010.md +++ b/atomics/T1574.010/T1574.010.md @@ -16,8 +16,8 @@ This test to show checking file system permissions weakness and which can lead t powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) -Upon execution, open the weak permission file at %temp%\ T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify -the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. +Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify +the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. **Supported Platforms:** Windows @@ -28,7 +28,7 @@ the weak file permissions, open File Explorer to%temp%\ T1574.010_weak_permissio | Name | Description | Type | Default Value | |------|-------------|------|---------------| | malicious_file | File to replace weak permission file with | path | $env:TEMP\ T1574.010\ T1574.010_malicious_file.txt| -| weak_permission_file | check weak files permission | path | $env:TEMP\ T1574.010_weak_permission_file.txt| +| weak_permission_file | check weak files permission | path | $env:TEMP\T1574.010_weak_permission_file.txt| #### Attack Commands: Run with `powershell`!