Generated docs from job=generate-docs branch=master [ci skip]

2024-08-03 01:32:44 +00:00
parent f85294b90d
commit 1157183f0a
12 changed files with 79 additions and 3 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1627-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1628-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -569,6 +569,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
+defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
 defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - FreeBSD/Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - FreeBSD/Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
@@ -397,6 +397,7 @@ defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,1
 defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
+defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
 defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
@@ -724,6 +724,7 @@
 - [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
  - Atomic Test #1: Hidden Window [windows]
  - Atomic Test #2: Headless Browser Accessing Mockbin [windows]
+  - Atomic Test #3: Hidden Window-Conhost Execution [windows]
 - T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -520,6 +520,7 @@
 - [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
  - Atomic Test #1: Hidden Window [windows]
  - Atomic Test #2: Headless Browser Accessing Mockbin [windows]
+  - Atomic Test #3: Hidden Window-Conhost Execution [windows]
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
@@ -26979,6 +26979,23 @@ defense-evasion:

          '
        name: command_prompt
+    - name: Hidden Window-Conhost Execution
+      auto_generated_guid: 5510d22f-2595-4911-8456-4d630c978616
+      description: "Launch conhost.exe in \"headless\" mode, it means that no visible
+        window will pop up on the victim's machine. \nThis could be a sign of \"conhost\"
+        usage as a LOLBIN or potential process injection activity.\nconhost.exe can
+        be used as proxy the execution of arbitrary commands\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'conhost.exe --headless calc.exe
+
+          '
+        cleanup_command: 'Stop-Process -Name calc*
+
+          '
+        name: powershell
+        elevation_required: true
  T1556.009:
    technique:
      modified: '2024-04-18T20:53:46.175Z'
@@ -22209,6 +22209,23 @@ defense-evasion:

          '
        name: command_prompt
+    - name: Hidden Window-Conhost Execution
+      auto_generated_guid: 5510d22f-2595-4911-8456-4d630c978616
+      description: "Launch conhost.exe in \"headless\" mode, it means that no visible
+        window will pop up on the victim's machine. \nThis could be a sign of \"conhost\"
+        usage as a LOLBIN or potential process injection activity.\nconhost.exe can
+        be used as proxy the execution of arbitrary commands\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'conhost.exe --headless calc.exe
+
+          '
+        cleanup_command: 'Stop-Process -Name calc*
+
+          '
+        name: powershell
+        elevation_required: true
  T1556.009:
    technique:
      modified: '2024-04-18T20:53:46.175Z'
@@ -16,6 +16,8 @@ In addition, Windows supports the `CreateDesktop()` API that can create a hidden

 - [Atomic Test #2 - Headless Browser Accessing Mockbin](#atomic-test-2---headless-browser-accessing-mockbin)

+- [Atomic Test #3 - Hidden Window-Conhost Execution](#atomic-test-3---hidden-window-conhost-execution)
+

 <br/>

@@ -90,4 +92,38 @@ taskkill /im #{browser} /f



+<br/>
+<br/>
+
+## Atomic Test #3 - Hidden Window-Conhost Execution
+Launch conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine. 
+This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
+conhost.exe can be used as proxy the execution of arbitrary commands
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5510d22f-2595-4911-8456-4d630c978616
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+conhost.exe --headless calc.exe
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name calc*
+```
+
+
+
+
+
 <br/>
@@ -41,6 +41,7 @@ atomic_tests:
      taskkill /im #{browser} /f
    name: command_prompt
 - name: Hidden Window-Conhost Execution
+  auto_generated_guid: 5510d22f-2595-4911-8456-4d630c978616
  description: |
    Launch conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine. 
    This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
@@ -1666,3 +1666,4 @@ b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
 c095ad8e-4469-4d33-be9d-6f6d1fb21585
 fdd45306-74f6-4ade-9a97-0a4895961228
 2db7852e-5a32-4ec7-937f-f4e027881700
+5510d22f-2595-4911-8456-4d630c978616