Generated docs from job=generate-docs branch=master [ci skip]

2024-05-16 01:42:23 +00:00
parent c26905e768
commit 25fdb321ee
12 changed files with 120 additions and 4 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1562-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1563-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -1245,6 +1245,7 @@ command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-
 command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
 command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
 command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
+command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -833,6 +833,7 @@ command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-
 command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
 command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
 command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
+command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -1722,6 +1722,7 @@
  - Atomic Test #11: MSP360 Connect Execution [windows]
  - Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
  - Atomic Test #13: Splashtop Execution [windows]
+  - Atomic Test #14: Splashtop Streamer Execution [windows]
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
@@ -1186,6 +1186,7 @@
  - Atomic Test #11: MSP360 Connect Execution [windows]
  - Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
  - Atomic Test #13: Splashtop Execution [windows]
+  - Atomic Test #14: Splashtop Streamer Execution [windows]
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
@@ -73698,6 +73698,36 @@ command-and-control:
          '
        name: powershell
        elevation_required: true
+    - name: Splashtop Streamer Execution
+      auto_generated_guid: 3e1858ee-3550-401c-86ec-5e70ed79295b
+      description: An adversary may attempt to use Splashtop Streamer to gain unattended
+        remote interactive access. Upon successful execution, Splashtop streamer will
+        be executed.
+      supported_platforms:
+      - windows
+      input_arguments:
+        srserver_exe:
+          description: Splashtop streamer installation executables
+          type: string
+          default: SRServer.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Splashtop Streamer must be installed in the location
+        prereq_command: 'if (Test-Path "C:\Program Files (x86)\Splashtop\Splashtop
+          Remote\Server\#{srserver_exe}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |-
+          Write-Host Downloading Splashtop Streamer
+          New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://download.splashtop.com/win/Splashtop_Streamer_Win_INSTALLER_v3.6.4.1.exe" -OutFile  "C:\Temp\ExternalPayloads\Splashtop.exe"
+          Write-Host Installing Splashtop Streamer
+          Start-Process "c:\Temp\ExternalPayloads\Splashtop.exe" -Wait -ArgumentList "/s"
+      executor:
+        command: Start-Process -FilePath "C:Program Files (x86)\Splashtop\Splashtop
+          Remote\Server\#{srserver_exe}"
+        name: powershell
+        elevation_required: true
  T1659:
    technique:
      modified: '2023-10-01T02:28:45.147Z'
@@ -61018,6 +61018,36 @@ command-and-control:
          '
        name: powershell
        elevation_required: true
+    - name: Splashtop Streamer Execution
+      auto_generated_guid: 3e1858ee-3550-401c-86ec-5e70ed79295b
+      description: An adversary may attempt to use Splashtop Streamer to gain unattended
+        remote interactive access. Upon successful execution, Splashtop streamer will
+        be executed.
+      supported_platforms:
+      - windows
+      input_arguments:
+        srserver_exe:
+          description: Splashtop streamer installation executables
+          type: string
+          default: SRServer.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Splashtop Streamer must be installed in the location
+        prereq_command: 'if (Test-Path "C:\Program Files (x86)\Splashtop\Splashtop
+          Remote\Server\#{srserver_exe}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |-
+          Write-Host Downloading Splashtop Streamer
+          New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://download.splashtop.com/win/Splashtop_Streamer_Win_INSTALLER_v3.6.4.1.exe" -OutFile  "C:\Temp\ExternalPayloads\Splashtop.exe"
+          Write-Host Installing Splashtop Streamer
+          Start-Process "c:\Temp\ExternalPayloads\Splashtop.exe" -Wait -ArgumentList "/s"
+      executor:
+        command: Start-Process -FilePath "C:Program Files (x86)\Splashtop\Splashtop
+          Remote\Server\#{srserver_exe}"
+        name: powershell
+        elevation_required: true
  T1659:
    technique:
      modified: '2023-10-01T02:28:45.147Z'
@@ -36,6 +36,8 @@ Installation of many remote access software may also include persistence (e.g.,

 - [Atomic Test #13 - Splashtop Execution](#atomic-test-13---splashtop-execution)

+- [Atomic Test #14 - Splashtop Streamer Execution](#atomic-test-14---splashtop-streamer-execution)
+

 <br/>

@@ -623,4 +625,53 @@ start-sleep 30



+<br/>
+<br/>
+
+## Atomic Test #14 - Splashtop Streamer Execution
+An adversary may attempt to use Splashtop Streamer to gain unattended remote interactive access. Upon successful execution, Splashtop streamer will be executed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3e1858ee-3550-401c-86ec-5e70ed79295b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| srserver_exe | Splashtop streamer installation executables | string | SRServer.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process -FilePath "C:Program Files (x86)\Splashtop\Splashtop Remote\Server\#{srserver_exe}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Splashtop Streamer must be installed in the location
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\#{srserver_exe}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Downloading Splashtop Streamer
+New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://download.splashtop.com/win/Splashtop_Streamer_Win_INSTALLER_v3.6.4.1.exe" -OutFile  "C:\Temp\ExternalPayloads\Splashtop.exe"
+Write-Host Installing Splashtop Streamer
+Start-Process "c:\Temp\ExternalPayloads\Splashtop.exe" -Wait -ArgumentList "/s"
+```
+
+
+
+
 <br/>
@@ -317,7 +317,7 @@ atomic_tests:
    name: powershell
    elevation_required: true
 - name: Splashtop Streamer Execution
-  auto_generated_guid: 
+  auto_generated_guid: 3e1858ee-3550-401c-86ec-5e70ed79295b
  description: An adversary may attempt to use Splashtop Streamer to gain unattended remote interactive access. Upon successful execution, Splashtop streamer will be executed.
  supported_platforms:
  - windows
@@ -1610,3 +1610,4 @@ bb6b51e1-ab92-45b5-aeea-e410d06405f8
 b025c580-029e-4023-888d-a42710d76934
 7979dd41-2045-48b2-a54e-b1bc2415c9da
 bf07f520-3909-4ef5-aa22-877a50f2f77b
+3e1858ee-3550-401c-86ec-5e70ed79295b