Generated docs from job=generate-docs branch=master [ci skip]

2022-09-29 17:15:18 +00:00
parent 5d77f4da7e
commit 09b7ade645
8 changed files with 58 additions and 2 deletions
@@ -108,6 +108,7 @@ defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
@@ -71,6 +71,7 @@ defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,11,Msiexec.exe
 defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
@@ -155,6 +155,7 @@
  - Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
  - Atomic Test #10: Prevent Powershell History Logging [windows]
  - Atomic Test #11: Clear Powershell History by Deleting History File [windows]
+  - Atomic Test #12: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
  - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -105,6 +105,7 @@
 - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
  - Atomic Test #10: Prevent Powershell History Logging [windows]
  - Atomic Test #11: Clear Powershell History by Deleting History File [windows]
+  - Atomic Test #12: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
  - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -6271,6 +6271,22 @@ defense-evasion:
      executor:
        command: 'Remove-Item (Get-PSReadlineOption).HistorySavePath

+          '
+        name: powershell
+    - name: Set Custom AddToHistoryHandler to Avoid History File Logging
+      auto_generated_guid: 1d0d9aa6-6111-4f89-927b-53e8afae7f94
+      description: "The \"AddToHistoryHandler\" receives the current command as the
+        $line variable and then returns $true if \nthe line should be written to the
+        history file. Here we simply return $false so nothing gets added to \nthe
+        history file for the current session. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Set-PSReadLineOption -AddToHistoryHandler { return $false }
+
+          '
+        cleanup_command: 'Set-PSReadLineOption -AddToHistoryHandler $null
+
          '
        name: powershell
  T1202:
@@ -38,6 +38,8 @@ Adversaries may run the PowerShell command <code>Clear-History</code> to flush t

 - [Atomic Test #11 - Clear Powershell History by Deleting History File](#atomic-test-11---clear-powershell-history-by-deleting-history-file)

+- [Atomic Test #12 - Set Custom AddToHistoryHandler to Avoid History File Logging](#atomic-test-12---set-custom-addtohistoryhandler-to-avoid-history-file-logging)
+

 <br/>

@@ -380,4 +382,38 @@ Remove-Item (Get-PSReadlineOption).HistorySavePath



+<br/>
+<br/>
+
+## Atomic Test #12 - Set Custom AddToHistoryHandler to Avoid History File Logging
+The "AddToHistoryHandler" receives the current command as the $line variable and then returns $true if 
+the line should be written to the history file. Here we simply return $false so nothing gets added to 
+the history file for the current session.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1d0d9aa6-6111-4f89-927b-53e8afae7f94
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Set-PSReadLineOption -AddToHistoryHandler { return $false }
+```
+
+#### Cleanup Commands:
+```powershell
+Set-PSReadLineOption -AddToHistoryHandler $null
+```
+
+
+
+
+
 <br/>