Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -958,7 +958,8 @@ credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
-credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd,6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
+credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
+credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -693,7 +693,8 @@ credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
-credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd,6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
+credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
+credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -1605,7 +1605,8 @@
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
   - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
-  - Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd [windows]
+  - Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
+  - Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
 - T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
   - Atomic Test #1: Steal Firefox Cookies (Windows) [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1170,7 +1170,8 @@
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
   - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
-  - Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd [windows]
+  - Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
+  - Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
 - T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
   - Atomic Test #1: Steal Firefox Cookies (Windows) [windows]

atomics/Indexes/index.yaml

@@ -73197,7 +73197,8 @@ credential-access:
           '
         name: powershell
         elevation_required: true
-    - name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd
+    - name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using
+        list)
       auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
       description: |-
         AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
@@ -73217,6 +73218,24 @@ credential-access:
           C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
         name: powershell
         elevation_required: true
+    - name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using
+        config)
+      auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
+      description: |-
+        AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+        [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: IIS must be installed prior to running the test
+        prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed")
+          {exit 0} else {exit 1}
+        get_prereq_command: Install-WindowsFeature -name Web-Server -IncludeManagementTools
+      executor:
+        command: C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
+        name: powershell
+        elevation_required: true
   T1171:
     technique:
       x_mitre_platforms:

atomics/T1003/T1003.md

@@ -13,7 +13,9 @@ Several of the tools mentioned in associated sub-techniques may be used by both
 
 - [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
 
-- [Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd](#atomic-test-4---retrieve-microsoft-iis-service-account-credentials-using-appcmd)
+- [Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)](#atomic-test-4---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-list)
+
+- [Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)](#atomic-test-5---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-config)
 
 
 <br/>
@@ -177,7 +179,7 @@ Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
 <br/>
 <br/>
 
-## Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd
+## Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
 AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
 [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
 
@@ -217,4 +219,45 @@ Install-WindowsFeature -name Web-Server -IncludeManagementTools
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
+AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 42510244-5019-48fa-a0e5-66c3b76e6049
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: IIS must be installed prior to running the test
+##### Check Prereq Commands:
+```powershell
+if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-WindowsFeature -name Web-Server -IncludeManagementTools
+```
+
+
+
+
 <br/>