From 587dbb39e57a7ebfb9a59dfb3e00a0e9b4f3b4ab Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Fri, 14 Jun 2019 14:55:42 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1118/T1118.md   | 25 +++++++++++++++++--
 atomics/index.md         |  2 ++
 atomics/index.yaml       | 52 +++++++++++++++++++++++++++++++++-------
 atomics/windows-index.md |  2 ++
 4 files changed, 71 insertions(+), 10 deletions(-)

diff --git a/atomics/T1118/T1118.md b/atomics/T1118/T1118.md
index 7260d0f8..147e1b2e 100644
--- a/atomics/T1118/T1118.md
+++ b/atomics/T1118/T1118.md
@@ -8,6 +8,8 @@ Adversaries may use InstallUtil to proxy execution of code through a trusted Win
 
 - [Atomic Test #1 - InstallUtil uninstall method call](#atomic-test-1---installutil-uninstall-method-call)
 
+- [Atomic Test #2 - InstallUtil GetHelp method call](#atomic-test-2---installutil-gethelp-method-call)
+
 
 <br/>
 
@@ -20,11 +22,30 @@ Executes the Uninstall Method
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| filename | location of the payload | Path | T1118.dll|
+| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll|
 
 #### Run it with `command_prompt`!
 ```
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs 
 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
 ```
 <br/>
+<br/>
+
+## Atomic Test #2 - InstallUtil GetHelp method call
+Executes the Uninstall Method
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll|
+
+#### Run it with `command_prompt`!
+```
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs 
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename}
+```
+<br/>
diff --git a/atomics/index.md b/atomics/index.md
index c3a466ad..0f961080 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -265,6 +265,7 @@
   - Atomic Test #1: Install root CA on CentOS/RHEL [linux]
 - [T1118 InstallUtil](./T1118/T1118.md)
   - Atomic Test #1: InstallUtil uninstall method call [windows]
+  - Atomic Test #2: InstallUtil GetHelp method call [windows]
 - T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1152 Launchctl](./T1152/T1152.md)
   - Atomic Test #1: Launchctl [macos]
@@ -571,6 +572,7 @@
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1118 InstallUtil](./T1118/T1118.md)
   - Atomic Test #1: InstallUtil uninstall method call [windows]
+  - Atomic Test #2: InstallUtil GetHelp method call [windows]
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1152 Launchctl](./T1152/T1152.md)
   - Atomic Test #1: Launchctl [macos]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 98bdda57..6fb00113 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -7335,12 +7335,30 @@ defense-evasion:
         filename:
           description: location of the payload
           type: Path
-          default: T1118.dll
+          default: C:\AtomicRedTeam\atomics\T1118\src\T1118.dll
       executor:
         name: command_prompt
-        command: |
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
+        command: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /target:library
+          /out:C:\\AtomicRedTeam\\atomics\\T1118\\src\\T1118.dll C:\\AtomicRedTeam\\atomics\\T1118\\src\\T1118.cs
+          \nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile=
+          /LogToConsole=false /U #{filename}\n"
+    - name: InstallUtil GetHelp method call
+      description: 'Executes the Uninstall Method
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        filename:
+          description: location of the payload
+          type: Path
+          default: C:\AtomicRedTeam\atomics\T1118\src\T1118.dll
+      executor:
+        name: command_prompt
+        command: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /target:library
+          /out:C:\\AtomicRedTeam\\atomics\\T1118\\src\\T1118.dll C:\\AtomicRedTeam\\atomics\\T1118\\src\\T1118.cs
+          \nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /?
+          #{filename}\n"
   T1152:
     technique:
       external_references:
@@ -16123,12 +16141,30 @@ execution:
         filename:
           description: location of the payload
           type: Path
-          default: T1118.dll
+          default: C:\AtomicRedTeam\atomics\T1118\src\T1118.dll
       executor:
         name: command_prompt
-        command: |
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
+        command: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /target:library
+          /out:C:\\AtomicRedTeam\\atomics\\T1118\\src\\T1118.dll C:\\AtomicRedTeam\\atomics\\T1118\\src\\T1118.cs
+          \nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile=
+          /LogToConsole=false /U #{filename}\n"
+    - name: InstallUtil GetHelp method call
+      description: 'Executes the Uninstall Method
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        filename:
+          description: location of the payload
+          type: Path
+          default: C:\AtomicRedTeam\atomics\T1118\src\T1118.dll
+      executor:
+        name: command_prompt
+        command: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /target:library
+          /out:C:\\AtomicRedTeam\\atomics\\T1118\\src\\T1118.dll C:\\AtomicRedTeam\\atomics\\T1118\\src\\T1118.cs
+          \nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /?
+          #{filename}\n"
   T1152:
     technique:
       external_references:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 968b2f9e..0c8c9d76 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -75,6 +75,7 @@
 - [T1130 Install Root Certificate](./T1130/T1130.md)
 - [T1118 InstallUtil](./T1118/T1118.md)
   - Atomic Test #1: InstallUtil uninstall method call [windows]
+  - Atomic Test #2: InstallUtil GetHelp method call [windows]
 - [T1036 Masquerading](./T1036/T1036.md)
   - Atomic Test #1: Masquerading as Windows LSASS process [windows]
 - [T1112 Modify Registry](./T1112/T1112.md)
@@ -461,6 +462,7 @@
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1118 InstallUtil](./T1118/T1118.md)
   - Atomic Test #1: InstallUtil uninstall method call [windows]
+  - Atomic Test #2: InstallUtil GetHelp method call [windows]
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]