Generate docs from job=validate_atomics_generate_docs branch=master

2020-04-01 00:23:21 +00:00
parent 5af629b9fc
commit 4c6d1b8b70
4 changed files with 60 additions and 43 deletions
@@ -14,7 +14,7 @@ An adversary may gather the system time and/or time zone from a local or remote
 <br/>

 ## Atomic Test #1 - System Time Discovery
-Identify the system time
+Identify the system time. Upon execution, the local computer system time and timezone will be displayed.

 **Supported Platforms:** Windows

@@ -44,7 +44,7 @@ w32tm /tz
 <br/>

 ## Atomic Test #2 - System Time Discovery - PowerShell
-Identify the system time via PowerShell
+Identify the system time via PowerShell. Upon execution, the system time will be displayed.

 **Supported Platforms:** Windows

@@ -100,7 +100,8 @@ dscl . -delete /Users/#{username}
 <br/>

 ## Atomic Test #3 - Create a new user in a command prompt
-Creates a new user in a command prompt
+Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the
+new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD"

 **Supported Platforms:** Windows

@@ -134,7 +135,8 @@ net user /del "#{username}"
 <br/>

 ## Atomic Test #4 - Create a new user in PowerShell
-Creates a new user in PowerShell
+Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the
+new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell"

 **Supported Platforms:** Windows

@@ -26,11 +26,8 @@ To keep shims secure, Windows designed them to run in user mode so they cannot m
 <br/>

 ## Atomic Test #1 - Application Shim Installation
-To test injecting DLL into a custom application
-you need to copy AtomicShim.dll Into C:\Tools
-As well as Compile the custom app.
-We believe observing the shim install is a good
-place to start.
+Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
+will be displayed.

 **Supported Platforms:** Windows

@@ -48,9 +45,12 @@ place to start.

 ```cmd
 sdbinst.exe #{file_path}
-sdbinst.exe -u #{file_path}
 ```

+#### Cleanup Commands:
+```cmd
+sdbinst.exe -u #{file_path}
+```



@@ -73,6 +73,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>

 ## Atomic Test #2 - New shim database files created in the default shim database directory
+Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
+
 https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

 **Supported Platforms:** Windows
@@ -103,6 +105,9 @@ Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAc
 <br/>

 ## Atomic Test #3 - Registry key creation and/or modification events for SDB
+Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
+the registry keys that were created. These keys can also be viewed using the Registry Editor.
+
 https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

 **Supported Platforms:** Windows
@@ -614,11 +614,8 @@ persistence:
    atomic_tests:
    - name: Application Shim Installation
      description: |
-        To test injecting DLL into a custom application
-        you need to copy AtomicShim.dll Into C:\Tools
-        As well as Compile the custom app.
-        We believe observing the shim install is a good
-        place to start.
+        Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
+        will be displayed.
      supported_platforms:
      - windows
      input_arguments:
@@ -636,13 +633,17 @@ persistence:
      executor:
        name: command_prompt
        elevation_required: true
-        command: |
-          sdbinst.exe #{file_path}
-          sdbinst.exe -u #{file_path}
-    - name: New shim database files created in the default shim database directory
-      description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+        command: 'sdbinst.exe #{file_path}

 '
+        cleanup_command: 'sdbinst.exe -u #{file_path}
+
+'
+    - name: New shim database files created in the default shim database directory
+      description: |
+        Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
+
+        https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
      supported_platforms:
      - windows
      executor:
@@ -655,9 +656,11 @@ persistence:
          Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
          Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
    - name: Registry key creation and/or modification events for SDB
-      description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+      description: |
+        Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
+        the registry keys that were created. These keys can also be viewed using the Registry Editor.

-'
+        https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
      supported_platforms:
      - windows
      executor:
@@ -1174,9 +1177,9 @@ persistence:

 '
    - name: Create a new user in a command prompt
-      description: 'Creates a new user in a command prompt
-
-'
+      description: |
+        Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the
+        new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD"
      supported_platforms:
      - windows
      input_arguments:
@@ -1198,9 +1201,9 @@ persistence:

 '
    - name: Create a new user in PowerShell
-      description: 'Creates a new user in PowerShell
-
-'
+      description: |
+        Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the
+        new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell"
      supported_platforms:
      - windows
      input_arguments:
@@ -1239,7 +1242,9 @@ persistence:
        command: |
          useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
          echo "#{password}" | passwd --stdin #{username}
-        cleanup_command: 'userdel #{username}'
+        cleanup_command: 'userdel #{username}
+
+'
  T1038:
    technique:
      x_mitre_permissions_required:
@@ -13445,11 +13450,8 @@ privilege-escalation:
    atomic_tests:
    - name: Application Shim Installation
      description: |
-        To test injecting DLL into a custom application
-        you need to copy AtomicShim.dll Into C:\Tools
-        As well as Compile the custom app.
-        We believe observing the shim install is a good
-        place to start.
+        Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
+        will be displayed.
      supported_platforms:
      - windows
      input_arguments:
@@ -13467,13 +13469,17 @@ privilege-escalation:
      executor:
        name: command_prompt
        elevation_required: true
-        command: |
-          sdbinst.exe #{file_path}
-          sdbinst.exe -u #{file_path}
-    - name: New shim database files created in the default shim database directory
-      description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+        command: 'sdbinst.exe #{file_path}

 '
+        cleanup_command: 'sdbinst.exe -u #{file_path}
+
+'
+    - name: New shim database files created in the default shim database directory
+      description: |
+        Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
+
+        https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
      supported_platforms:
      - windows
      executor:
@@ -13486,9 +13492,11 @@ privilege-escalation:
          Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
          Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
    - name: Registry key creation and/or modification events for SDB
-      description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+      description: |
+        Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
+        the registry keys that were created. These keys can also be viewed using the Registry Editor.

-'
+        https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
      supported_platforms:
      - windows
      executor:
@@ -19248,7 +19256,8 @@ discovery:
      identifier: T1124
    atomic_tests:
    - name: System Time Discovery
-      description: 'Identify the system time
+      description: 'Identify the system time. Upon execution, the local computer system
+        time and timezone will be displayed.

 '
      supported_platforms:
@@ -19265,7 +19274,8 @@ discovery:
          net time \\#{computer_name}
          w32tm /tz
    - name: System Time Discovery - PowerShell
-      description: 'Identify the system time via PowerShell
+      description: 'Identify the system time via PowerShell. Upon execution, the system
+        time will be displayed.

 '
      supported_platforms: