Generated docs from job=generate-docs branch=master [ci skip]

2024-07-23 21:39:39 +00:00
parent 0a8ad64ee8
commit 229af9deb5
12 changed files with 110 additions and 3 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1606-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1607-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -1839,6 +1839,7 @@ discovery,T1614.001,System Location Discovery: System Language Discovery,4,Disco
 discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
 discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
 discovery,T1614.001,System Location Discovery: System Language Discovery,7,Discover System Language with dism.exe,69f625ba-938f-4900-bdff-82ada3df5d9c,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,8,Discover System Language by Windows API Query,e39b99e9-ce7f-4b24-9c88-0fbad069e6c6,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
@@ -1227,6 +1227,7 @@ discovery,T1201,Password Policy Discovery,11,Use of SecEdit.exe to export the lo
 discovery,T1614.001,System Location Discovery: System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,7,Discover System Language with dism.exe,69f625ba-938f-4900-bdff-82ada3df5d9c,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,8,Discover System Language by Windows API Query,e39b99e9-ce7f-4b24-9c88-0fbad069e6c6,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
@@ -2518,6 +2518,7 @@
  - Atomic Test #5: Discover System Language by locale file [linux]
  - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
  - Atomic Test #7: Discover System Language with dism.exe [windows]
+  - Atomic Test #8: Discover System Language by Windows API Query [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
  - Atomic Test #1: Query Registry [windows]
  - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
@@ -1752,6 +1752,7 @@
  - Atomic Test #1: Discover System Language by Registry Query [windows]
  - Atomic Test #2: Discover System Language with chcp [windows]
  - Atomic Test #7: Discover System Language with dism.exe [windows]
+  - Atomic Test #8: Discover System Language by Windows API Query [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
  - Atomic Test #1: Query Registry [windows]
  - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
@@ -104011,6 +104011,33 @@ discovery:
        command: 'dism.exe /online /Get-Intl

          '
+    - name: Discover System Language by Windows API Query
+      auto_generated_guid: e39b99e9-ce7f-4b24-9c88-0fbad069e6c6
+      description: "This test executes a custom script called LanguageKeyboardLayout.exe
+        which outputs the values of the following Windows API functions to the user
+        terminal: \n\n`GetKeyboardLayout`, `GetKeyboardLayoutList`, `GetUserDefaultUILanguage`,
+        `GetSystemDefaultUILanguage`, `GetUserDefaultLangID`.\n\nDocumentation for
+        these functions is located [here](https://learn.microsoft.com/en-us/windows/win32/api/winuser/).
+        \   \n"
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'LanguageKeyboardLayout.exe must exist on disk (default location:
+          PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe)
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe") -ErrorAction Ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1614.001/bin/LanguageKeyboardLayout.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
  T1012:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -85054,6 +85054,33 @@ discovery:
        command: 'dism.exe /online /Get-Intl

          '
+    - name: Discover System Language by Windows API Query
+      auto_generated_guid: e39b99e9-ce7f-4b24-9c88-0fbad069e6c6
+      description: "This test executes a custom script called LanguageKeyboardLayout.exe
+        which outputs the values of the following Windows API functions to the user
+        terminal: \n\n`GetKeyboardLayout`, `GetKeyboardLayoutList`, `GetUserDefaultUILanguage`,
+        `GetSystemDefaultUILanguage`, `GetUserDefaultLangID`.\n\nDocumentation for
+        these functions is located [here](https://learn.microsoft.com/en-us/windows/win32/api/winuser/).
+        \   \n"
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'LanguageKeyboardLayout.exe must exist on disk (default location:
+          PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe)
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe") -ErrorAction Ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1614.001/bin/LanguageKeyboardLayout.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
  T1012:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -24,6 +24,8 @@ On a macOS or Linux system, adversaries may query <code>locale</code> to retriev

 - [Atomic Test #7 - Discover System Language with dism.exe](#atomic-test-7---discover-system-language-with-dismexe)

+- [Atomic Test #8 - Discover System Language by Windows API Query](#atomic-test-8---discover-system-language-by-windows-api-query)
+

 <br/>

@@ -270,4 +272,49 @@ dism.exe /online /Get-Intl



+<br/>
+<br/>
+
+## Atomic Test #8 - Discover System Language by Windows API Query
+This test executes a custom script called LanguageKeyboardLayout.exe which outputs the values of the following Windows API functions to the user terminal: 
+
+`GetKeyboardLayout`, `GetKeyboardLayoutList`, `GetUserDefaultUILanguage`, `GetSystemDefaultUILanguage`, `GetUserDefaultLangID`.
+
+Documentation for these functions is located [here](https://learn.microsoft.com/en-us/windows/win32/api/winuser/).
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e39b99e9-ce7f-4b24-9c88-0fbad069e6c6
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: LanguageKeyboardLayout.exe must exist on disk (default location: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe)
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe") -ErrorAction Ignore | Out-Null
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1614.001/bin/LanguageKeyboardLayout.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe"
+```
+
+
+
+
 <br/>
@@ -115,6 +115,7 @@ atomic_tests:
    command: |
      dism.exe /online /Get-Intl
 - name: Discover System Language by Windows API Query
+  auto_generated_guid: e39b99e9-ce7f-4b24-9c88-0fbad069e6c6
  description: |
    This test executes a custom script called LanguageKeyboardLayout.exe which outputs the values of the following Windows API functions to the user terminal: 

@@ -1645,3 +1645,4 @@ ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5
 b051b3c0-66e7-4a81-916d-e6383bd3a669
 91580da6-bc6e-431b-8b88-ac77180005f2
 4469192c-2d2d-4a3a-9758-1f31d937a92b
+e39b99e9-ce7f-4b24-9c88-0fbad069e6c6