Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
This commit is contained in:
CircleCI Atomic Red Team doc generator
parent
f6849b45b8
commit
12ca65b029
@@ -734,6 +734,7 @@ discovery,T1087.001,Local Account,11,Enumerate logged on users via PowerShell,2b
|
||||
discovery,T1069.001,Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
|
||||
discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
|
||||
discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
|
||||
discovery,T1069.001,Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
|
||||
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
|
||||
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
|
||||
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
|
||||
|
||||
|
@@ -489,6 +489,7 @@ discovery,T1087.001,Local Account,10,Enumerate logged on users via CMD (Local),a
|
||||
discovery,T1087.001,Local Account,11,Enumerate logged on users via PowerShell,2bdc42c7-8907-40c2-9c2b-42919a00fe03,powershell
|
||||
discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
|
||||
discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
|
||||
discovery,T1069.001,Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
|
||||
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
|
||||
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
|
||||
discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
|
||||
|
||||
|
@@ -1242,6 +1242,7 @@
|
||||
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
|
||||
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
|
||||
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
|
||||
- Atomic Test #4: SharpHound3 - LocalAdmin [windows]
|
||||
- [T1046 Network Service Scanning](../../T1046/T1046.md)
|
||||
- Atomic Test #1: Port Scan [linux, macos]
|
||||
- Atomic Test #2: Port Scan Nmap [linux, macos]
|
||||
|
||||
@@ -878,6 +878,7 @@
|
||||
- [T1069.001 Local Groups](../../T1069.001/T1069.001.md)
|
||||
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
|
||||
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
|
||||
- Atomic Test #4: SharpHound3 - LocalAdmin [windows]
|
||||
- [T1046 Network Service Scanning](../../T1046/T1046.md)
|
||||
- Atomic Test #3: Port Scan NMap for Windows [windows]
|
||||
- Atomic Test #4: Port Scan using python [windows]
|
||||
|
||||
@@ -53181,6 +53181,49 @@ discovery:
|
||||
get-localgroup
|
||||
Get-LocalGroupMember -Name "Administrators"
|
||||
name: powershell
|
||||
- name: SharpHound3 - LocalAdmin
|
||||
auto_generated_guid: e03ada14-0980-4107-aff1-7783b2b59bb1
|
||||
description: 'This module runs the Windows executable of SharpHound in order
|
||||
to remotely list members of the local Administrators group (SAMR)
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
domain:
|
||||
description: FQDN of the targeted domain
|
||||
type: string
|
||||
default: DOMAIN.CORP
|
||||
sharphound_path:
|
||||
description: SharpHound Windows executable
|
||||
type: path
|
||||
default: "$env:TEMP\\SharpHound.exe"
|
||||
output_path:
|
||||
description: Output for SharpHound
|
||||
type: path
|
||||
default: "$env:TEMP\\SharpHound\\"
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
SharpHound binary must exist on disk and at specified location (#{sharphound_path}).
|
||||
And the computer must be domain joined (implicit authentication).
|
||||
prereq_command: 'if (Test-Path "#{sharphound_path}") { exit 0 } else { exit
|
||||
1 }
|
||||
|
||||
'
|
||||
get_prereq_command: 'Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true"
|
||||
-OutFile "#{sharphound_path}"
|
||||
|
||||
'
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
New-Item -Path "#{output_path}" -ItemType Directory > $null
|
||||
& "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
|
||||
cleanup_command: 'Remove-Item -Recurse #{output_path}
|
||||
|
||||
'
|
||||
T1046:
|
||||
technique:
|
||||
id: attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88
|
||||
|
||||
@@ -12,6 +12,8 @@ Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.o
|
||||
|
||||
- [Atomic Test #3 - Permission Groups Discovery PowerShell (Local)](#atomic-test-3---permission-groups-discovery-powershell-local)
|
||||
|
||||
- [Atomic Test #4 - SharpHound3 - LocalAdmin](#atomic-test-4---sharphound3---localadmin)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -102,4 +104,57 @@ Get-LocalGroupMember -Name "Administrators"
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - SharpHound3 - LocalAdmin
|
||||
This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** e03ada14-0980-4107-aff1-7783b2b59bb1
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| domain | FQDN of the targeted domain | string | DOMAIN.CORP|
|
||||
| sharphound_path | SharpHound Windows executable | path | $env:TEMP\SharpHound.exe|
|
||||
| output_path | Output for SharpHound | path | $env:TEMP\SharpHound\|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
New-Item -Path "#{output_path}" -ItemType Directory > $null
|
||||
& "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
Remove-Item -Recurse #{output_path}
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: SharpHound binary must exist on disk and at specified location (#{sharphound_path}).
|
||||
And the computer must be domain joined (implicit authentication).
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 }
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
Reference in New Issue
Block a user