Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-01-25 13:43:05 +00:00
parent 3b9bddaf20
commit 3fe613c6dd
6 changed files with 33 additions and 16 deletions
@@ -528,7 +528,7 @@ defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
-defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
+defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
 defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
 defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
 defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
@@ -314,7 +314,7 @@ defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
-defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
+defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
 defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
 defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
 defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
@@ -962,7 +962,7 @@
  - Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
  - Atomic Test #3: attrib - Remove read-only attribute [windows]
  - Atomic Test #4: attrib - hide file [windows]
-  - Atomic Test #5: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
+  - Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
 - [T1220 XSL Script Processing](../../T1220/T1220.md)
  - Atomic Test #1: MSXSL Bypass using local files [windows]
  - Atomic Test #2: MSXSL Bypass using remote files [windows]
@@ -569,7 +569,7 @@
  - Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
  - Atomic Test #3: attrib - Remove read-only attribute [windows]
  - Atomic Test #4: attrib - hide file [windows]
-  - Atomic Test #5: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
+  - Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
 - [T1220 XSL Script Processing](../../T1220/T1220.md)
  - Atomic Test #1: MSXSL Bypass using local files [windows]
  - Atomic Test #2: MSXSL Bypass using remote files [windows]
@@ -42143,15 +42143,24 @@ defense-evasion:
          del #{file_or_folder}\T1222.001_attrib*.txt
          rmdir #{file_or_folder}
        name: command_prompt
-    - name: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style
+    - name: Grant Full Access to folder for Everyone - Ryuk Ransomware Style
      auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
-      description: Invokes the command line used by Ryuk Ransomware to grant full
-        access to the entire C:\ drive for Everyone.
+      description: |
+        Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
+        **icacls "C:\*" /grant Everyone:F /T /C /Q**
+        However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host.
+        You can set your own path variable to "C:\*" if you prefer.
      supported_platforms:
      - windows
+      input_arguments:
+        path:
+          description: Path of folder to recursively set permissions on
+          type: path
+          default: C:\Users\Public\*
      executor:
-        command: icacls "C:\*" /grant Everyone:F /T /C /Q
-        name: powershell
+        command: icacls "#{path}" /grant Everyone:F /T /C /Q
+        name: command_prompt
+        elevation_required: true
  T1220:
    technique:
      id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
@@ -16,7 +16,7 @@ Adversaries can interact with the DACLs using built-in Windows commands, such as

 - [Atomic Test #4 - attrib - hide file](#atomic-test-4---attrib---hide-file)

- [Atomic Test #5 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style](#atomic-test-5---grant-full-access-to-entire-c-drive-for-everyone---ryuk-ransomware-style)
+- [Atomic Test #5 - Grant Full Access to folder for Everyone - Ryuk Ransomware Style](#atomic-test-5---grant-full-access-to-folder-for-everyone---ryuk-ransomware-style)


 <br/>
@@ -209,20 +209,28 @@ echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
 <br/>
 <br/>

-## Atomic Test #5 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style
-Invokes the command line used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
+## Atomic Test #5 - Grant Full Access to folder for Everyone - Ryuk Ransomware Style
+Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
+**icacls "C:\*" /grant Everyone:F /T /C /Q**
+However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host.
+You can set your own path variable to "C:\*" if you prefer.

 **Supported Platforms:** Windows




-
-#### Attack Commands: Run with `powershell`! 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| path | Path of folder to recursively set permissions on | path | C:&#92;Users&#92;Public&#92;*|


-```powershell
-icacls "C:\*" /grant Everyone:F /T /C /Q
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+icacls "#{path}" /grant Everyone:F /T /C /Q
 ```