From 6f92864b889f60df38b2a7208d2d1dd96ccb59bc Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Fri, 29 Jul 2022 15:14:22 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 19 ++++++++++ atomics/T1529/T1529.md | 35 +++++++++++++++++++ 6 files changed, 58 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 060e2d4e..4e6c0b83 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1290,6 +1290,7 @@ impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70a impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash +impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index ec7db3cd..7160dbb3 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -931,6 +931,7 @@ impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1 impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt +impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index abe3650f..9c728cb9 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -2216,6 +2216,7 @@ - Atomic Test #7: Reboot System via `halt` - Linux [linux] - Atomic Test #8: Shutdown System via `poweroff` - Linux [linux] - Atomic Test #9: Reboot System via `poweroff` - Linux [linux] + - Atomic Test #10: Logoff System - Windows [windows] # initial-access - [T1133 External Remote Services](../../T1133/T1133.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 32fec16c..79c3f983 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1583,6 +1583,7 @@ - [T1529 System Shutdown/Reboot](../../T1529/T1529.md) - Atomic Test #1: Shutdown System - Windows [windows] - Atomic Test #2: Restart System - Windows [windows] + - Atomic Test #10: Logoff System - Windows [windows] # initial-access - [T1133 External Remote Services](../../T1133/T1133.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index d9b81102..79a3ad66 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -96626,6 +96626,25 @@ impact: ' name: bash elevation_required: true + - name: Logoff System - Windows + auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 + description: 'This test performs a Windows system logoff as seen in [dcrat backdoor + capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor) + + ' + supported_platforms: + - windows + input_arguments: + timeout: + description: Timeout period before shutdown (seconds) + type: Integer + default: 1 + executor: + command: 'shutdown /l /t #{timeout} + + ' + name: command_prompt + elevation_required: true initial-access: T1133: technique: diff --git a/atomics/T1529/T1529.md b/atomics/T1529/T1529.md index 7ea68bd4..08bebfec 100644 --- a/atomics/T1529/T1529.md +++ b/atomics/T1529/T1529.md @@ -24,6 +24,8 @@ Adversaries may attempt to shutdown/reboot a system after impacting it in other - [Atomic Test #9 - Reboot System via `poweroff` - Linux](#atomic-test-9---reboot-system-via-poweroff---linux) +- [Atomic Test #10 - Logoff System - Windows](#atomic-test-10---logoff-system---windows) +
@@ -296,4 +298,37 @@ poweroff --reboot +
+
+ +## Atomic Test #10 - Logoff System - Windows +This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor) + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| timeout | Timeout period before shutdown (seconds) | Integer | 1| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +shutdown /l /t #{timeout} +``` + + + + + +