Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-01-05 21:35:39 +00:00
parent 9446159b59
commit 131febbcdb
6 changed files with 70 additions and 0 deletions
@@ -559,6 +559,7 @@ defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo c
 defense-evasion,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 defense-evasion,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
+defense-evasion,T1497.001,System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
 defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
@@ -827,6 +828,7 @@ discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103
 discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
+discovery,T1497.001,System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
 discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
@@ -372,6 +372,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisa
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
+defense-evasion,T1497.001,System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
 defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
 defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
@@ -551,6 +552,7 @@ discovery,T1518.001,Security Software Discovery,6,Security Software Discovery -
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
 discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
+discovery,T1497.001,System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
 discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
 discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
@@ -888,6 +888,7 @@
  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
  - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
  - Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
+  - Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1221 Template Injection](../../T1221/T1221.md)
@@ -1347,6 +1348,7 @@
  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
  - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
  - Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
+  - Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
  - Atomic Test #1: System Information Discovery [windows]
  - Atomic Test #2: System Information Discovery [macos]
@@ -624,6 +624,7 @@
 - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1497.001 System Checks](../../T1497.001/T1497.001.md)
  - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
+  - Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1221 Template Injection](../../T1221/T1221.md)
  - Atomic Test #1: WINWORD Remote Template Injection [windows]
@@ -952,6 +953,7 @@
  - Atomic Test #2: Applications Installed [windows]
 - [T1497.001 System Checks](../../T1497.001/T1497.001.md)
  - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
+  - Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
  - Atomic Test #1: System Information Discovery [windows]
  - Atomic Test #6: Hostname Discovery (Windows) [windows]
@@ -37529,6 +37529,21 @@ defense-evasion:
          detected''; fi;

 '
+    - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
+      auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78
+      description: "Windows Management Instrumentation(WMI) objects contain system
+        information which helps to detect virtualization. This test will get the model
+        and manufacturer of the machine to determine if it is a virtual machine, such
+        as through VMware or VirtualBox. \n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
+          $Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
+          if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
  T1542.001:
    technique:
      id: attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada
@@ -56347,6 +56362,21 @@ discovery:
          detected''; fi;

 '
+    - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
+      auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78
+      description: "Windows Management Instrumentation(WMI) objects contain system
+        information which helps to detect virtualization. This test will get the model
+        and manufacturer of the machine to determine if it is a virtual machine, such
+        as through VMware or VirtualBox. \n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
+          $Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
+          if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
  T1082:
    technique:
      object_marking_refs:
@@ -18,6 +18,8 @@ Hardware checks, such as the presence of the fan, temperature, and audio devices

 - [Atomic Test #3 - Detect Virtualization Environment (MacOS)](#atomic-test-3---detect-virtualization-environment-macos)

+- [Atomic Test #4 - Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)](#atomic-test-4---detect-virtualization-environment-via-wmi-manufacturermodel-listing-windows)
+

 <br/>

@@ -109,4 +111,34 @@ if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualB



+<br/>
+<br/>
+
+## Atomic Test #4 - Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
+Windows Management Instrumentation(WMI) objects contain system information which helps to detect virtualization. This test will get the model and manufacturer of the machine to determine if it is a virtual machine, such as through VMware or VirtualBox.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4a41089a-48e0-47aa-82cb-5b81a463bc78
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
+$Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
+if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
+```
+
+
+
+
+
+
 <br/>