Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-08-30 19:52:44 +00:00
parent 7e4f6a4b88
commit 38b2b2f2d3
6 changed files with 92 additions and 0 deletions
@@ -406,6 +406,7 @@ defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
@@ -252,6 +252,7 @@ defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
@@ -675,6 +675,7 @@
 - [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
  - Atomic Test #1: Mount ISO image [windows]
  - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
+  - Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
 - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
  - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
  - Atomic Test #2: Creating W32Time similar named service using sc [windows]
@@ -459,6 +459,7 @@
 - [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
  - Atomic Test #1: Mount ISO image [windows]
  - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
+  - Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
 - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
  - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
  - Atomic Test #2: Creating W32Time similar named service using sc [windows]
@@ -29002,6 +29002,40 @@ defense-evasion:
          Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
          Stop-process -name "hello" -Force -ErrorAction ignore
        name: powershell
+    - name: Remove the Zone.Identifier alternate data stream
+      auto_generated_guid: 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9
+      description: |
+        Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
+        Removing this allows more freedom in executing scripts in PowerShell and avoids opening files in protected view.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_download:
+          description: File that will be downloaded to test against.
+          type: url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/README.md
+        file_path:
+          description: File to have the Zone.Identifier removed.
+          type: String
+          default: "$env:tmp\\ReadMe.md"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: A test file with the Zone.Identifier attribute must be present.
+        prereq_command: 'if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 }
+
+'
+        get_prereq_command: |
+          Invoke-WebRequest #{file_to_download} -OutFile #{file_path}
+          Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
+      executor:
+        command: 'Unblock-File -Path #{file_path}
+
+'
+        cleanup_command: 'Set-Content -Path #{file_path} -Stream Zone.Identifier -Value
+          ''[ZoneTransfer]'',''ZoneId=3''
+
+'
+        name: powershell
  T1036.004:
    technique:
      external_references:
@@ -10,6 +10,8 @@ Adversaries may abuse container files such as compressed/archive (.arj, .gzip) a

 - [Atomic Test #2 - Mount an ISO image and run executable from the ISO](#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso)

+- [Atomic Test #3 - Remove the Zone.Identifier alternate data stream](#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream)
+

 <br/>

@@ -115,4 +117,56 @@ Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/



+<br/>
+<br/>
+
+## Atomic Test #3 - Remove the Zone.Identifier alternate data stream
+Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
+Removing this allows more freedom in executing scripts in PowerShell and avoids opening files in protected view.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_download | File that will be downloaded to test against. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/README.md|
+| file_path | File to have the Zone.Identifier removed. | String | $env:tmp&#92;ReadMe.md|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Unblock-File -Path #{file_path}
+```
+
+#### Cleanup Commands:
+```powershell
+Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: A test file with the Zone.Identifier attribute must be present.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest #{file_to_download} -OutFile #{file_path}
+Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
+```
+
+
+
+
 <br/>