Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -561,6 +561,8 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
+privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
@@ -797,6 +799,8 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
+persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -423,6 +423,8 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
+privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
@@ -597,6 +599,8 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
+persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -858,6 +858,8 @@
   - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
   - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
   - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
+  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
   - Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
 - T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1306,6 +1308,8 @@
   - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
   - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
   - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
+  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
   - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
 - [T1098 Account Manipulation](../../T1098/T1098.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -650,6 +650,8 @@
   - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
   - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
   - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
+  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -971,6 +973,8 @@
   - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
   - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
   - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
+  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]

atomics/Indexes/index.yaml

@@ -36737,6 +36737,48 @@ privilege-escalation:
           Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
         name: powershell
         elevation_required: true
+    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
+          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: |-
+          $path = "HKCU:\Software\Microsoft\Command Processor"
+          if (!(Test-Path -path $path)){
+            New-Item -ItemType Key -Path $path
+          }
+          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
   T1547.006:
     technique:
       x_mitre_platforms:
@@ -58790,6 +58832,48 @@ persistence:
           Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
         name: powershell
         elevation_required: true
+    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
+          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: |-
+          $path = "HKCU:\Software\Microsoft\Command Processor"
+          if (!(Test-Path -path $path)){
+            New-Item -ItemType Key -Path $path
+          }
+          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
   T1136.003:
     technique:
       x_mitre_platforms:

atomics/T1547.001/T1547.001.md

@@ -72,6 +72,10 @@ Adversaries can use these configuration locations to execute malware, such as re
 
 - [Atomic Test #15 - HKLM - Modify default System Shell - Winlogon Shell KEY Value ](#atomic-test-15---hklm---modify-default-system-shell---winlogon-shell-key-value-)
 
+- [Atomic Test #16 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-16---hklm---persistence-using-commandprocessor-autorun-key-with-elevation)
+
+- [Atomic Test #17 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-17---hkcu---persistence-using-commandprocessor-autorun-key-with-elevation)
+
 
 <br/>
 
@@ -670,4 +674,84 @@ Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\W
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #16 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a574dafe-a903-4cce-9701-14040f4f3532
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to Execute | string | notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #17 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to Execute | string | notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$path = "HKCU:\Software\Microsoft\Command Processor"
+if (!(Test-Path -path $path)){
+  New-Item -ItemType Key -Path $path
+}
+New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>