Generated docs from job=generate-docs branch=master [ci skip]

2024-07-03 01:11:11 +00:00
parent 137fb9f7e3
commit 4fa2ba6608
12 changed files with 83 additions and 4 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1582-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1583-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -151,6 +151,7 @@ defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Se
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
+defense-evasion,T1202,Indirect Command Execution,4,Indirect Command Execution - Scriptrunner.exe,0fd14730-6226-4f5e-8d67-43c65f1be940,powershell
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
@@ -88,6 +88,7 @@ defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Se
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
+defense-evasion,T1202,Indirect Command Execution,4,Indirect Command Execution - Scriptrunner.exe,0fd14730-6226-4f5e-8d67-43c65f1be940,powershell
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
@@ -198,6 +198,7 @@
  - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
  - Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
+  - Atomic Test #4: Indirect Command Execution - Scriptrunner.exe [windows]
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
  - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
  - Atomic Test #2: Certutil Rename and Decode [windows]
@@ -124,6 +124,7 @@
  - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
  - Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
+  - Atomic Test #4: Indirect Command Execution - Scriptrunner.exe [windows]
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
  - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
  - Atomic Test #2: Certutil Rename and Decode [windows]
@@ -7640,6 +7640,25 @@ defense-evasion:

          '
        name: command_prompt
+    - name: Indirect Command Execution - Scriptrunner.exe
+      auto_generated_guid: 0fd14730-6226-4f5e-8d67-43c65f1be940
+      description: |-
+        The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting. Upon test execution, calc.exe should open
+        Reference: https://x.com/NickTyrer/status/914234924655312896
+      supported_platforms:
+      - windows
+      input_arguments:
+        payload_path:
+          description: Path to the executable
+          type: String
+          default: C:\Windows\System32\calc.exe
+      dependency_executor_name: 
+      dependencies: 
+      executor:
+        command: Scriptrunner.exe -appvscript "#{payload_path}"
+        cleanup_command: 
+        name: powershell
+        elevation_required: false
  T1140:
    technique:
      modified: '2023-08-14T19:28:18.334Z'
@@ -6015,6 +6015,25 @@ defense-evasion:

          '
        name: command_prompt
+    - name: Indirect Command Execution - Scriptrunner.exe
+      auto_generated_guid: 0fd14730-6226-4f5e-8d67-43c65f1be940
+      description: |-
+        The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting. Upon test execution, calc.exe should open
+        Reference: https://x.com/NickTyrer/status/914234924655312896
+      supported_platforms:
+      - windows
+      input_arguments:
+        payload_path:
+          description: Path to the executable
+          type: String
+          default: C:\Windows\System32\calc.exe
+      dependency_executor_name: 
+      dependencies: 
+      executor:
+        command: Scriptrunner.exe -appvscript "#{payload_path}"
+        cleanup_command: 
+        name: powershell
+        elevation_required: false
  T1140:
    technique:
      modified: '2023-08-14T19:28:18.334Z'
@@ -12,6 +12,8 @@ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.

 - [Atomic Test #3 - Indirect Command Execution - conhost.exe](#atomic-test-3---indirect-command-execution---conhostexe)

+- [Atomic Test #4 - Indirect Command Execution - Scriptrunner.exe](#atomic-test-4---indirect-command-execution---scriptrunnerexe)
+

 <br/>

@@ -120,4 +122,38 @@ conhost.exe "#{process}"



+<br/>
+<br/>
+
+## Atomic Test #4 - Indirect Command Execution - Scriptrunner.exe
+The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting. Upon test execution, calc.exe should open
+Reference: https://x.com/NickTyrer/status/914234924655312896
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0fd14730-6226-4f5e-8d67-43c65f1be940
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| payload_path | Path to the executable | String | C:&#92;Windows&#92;System32&#92;calc.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Scriptrunner.exe -appvscript "#{payload_path}"
+```
+
+
+
+
+
+
 <br/>
@@ -59,7 +59,7 @@ atomic_tests:
      conhost.exe "#{process}"
    name: command_prompt
 - name: Indirect Command Execution - Scriptrunner.exe
-  auto_generated_guid: 
+  auto_generated_guid: 0fd14730-6226-4f5e-8d67-43c65f1be940
  description: |-
    The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting. Upon test execution, calc.exe should open
    Reference: https://x.com/NickTyrer/status/914234924655312896
@@ -1620,3 +1620,4 @@ ecbd533e-b45d-4239-aeff-b857c6f6d68b
 235b30a2-e5b1-441f-9705-be6231c88ddd
 8a7f56ee-10e7-444c-a139-0109438288eb
 7bcf83bf-f5ef-425c-9d9a-71618ad9ed12
+0fd14730-6226-4f5e-8d67-43c65f1be940