From 641a1d027d65aa5efb8706c7adb6dabc28e1cab4 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 8 Oct 2019 18:02:00 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1038/T1038.md | 2 +- atomics/index.yaml | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/atomics/T1038/T1038.md b/atomics/T1038/T1038.md index 8a0bde0c..c621811a 100644 --- a/atomics/T1038/T1038.md +++ b/atomics/T1038/T1038.md @@ -29,7 +29,7 @@ https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ ``` copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll -cmd.exe /c %APPDATA%\updater.exe +cmd.exe /k %APPDATA%\updater.exe ``` diff --git a/atomics/index.yaml b/atomics/index.yaml index 222d91c6..4e0b268b 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -1385,10 +1385,10 @@ persistence: executor: name: command_prompt elevation_required: false - command: |- + command: | copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll - cmd.exe /c %APPDATA%\updater.exe + cmd.exe /k %APPDATA%\updater.exe T1158: technique: external_references: @@ -5823,10 +5823,10 @@ defense-evasion: executor: name: command_prompt elevation_required: false - command: |- + command: | copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll - cmd.exe /c %APPDATA%\updater.exe + cmd.exe /k %APPDATA%\updater.exe T1140: technique: external_references: @@ -11329,10 +11329,10 @@ privilege-escalation: executor: name: command_prompt elevation_required: false - command: |- + command: | copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll - cmd.exe /c %APPDATA%\updater.exe + cmd.exe /k %APPDATA%\updater.exe T1179: technique: external_references: