Generate docs from job=validate_atomics_generate_docs branch=master
This commit is contained in:
CircleCI Atomic Red Team doc generator
parent
01757e0df0
commit
7232ea1789
+14
-9
@@ -30,15 +30,16 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
|
||||
|
||||
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
|
||||
```
|
||||
powershell.exe New-Item -ItemType Directory -Name ART1012 -Path $env:USERPROFILE\AppData\Local\Temp\
|
||||
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
|
||||
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
|
||||
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
|
||||
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
|
||||
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
|
||||
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
|
||||
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
|
||||
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
|
||||
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
|
||||
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
|
||||
@@ -47,13 +48,17 @@ reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
|
||||
reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
|
||||
reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
reg save HKLM\Security security.hive
|
||||
reg save HKLM\System system.hive
|
||||
reg save HKLM\SAM sam.hive
|
||||
reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
reg save HKLM\Security $env:USERPROFILE\AppData\Local\Temp\ART1012\security.hive"
|
||||
reg save HKLM\System $env:USERPROFILE\AppData\Local\Temp\ART1012\system.hive"
|
||||
reg save HKLM\SAM $env:USERPROFILE\AppData\Local\Temp\ART1012\sam.hive"
|
||||
```
|
||||
|
||||
|
||||
#### Cleanup Commands:
|
||||
```
|
||||
rmdir /q /s $env:USERPROFILE\AppData\Local\Temp\ART1012\
|
||||
```
|
||||
|
||||
<br/>
|
||||
|
||||
+13
-9
@@ -17013,15 +17013,16 @@ discovery:
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
command: |
|
||||
powershell.exe New-Item -ItemType Directory -Name ART1012 -Path $env:USERPROFILE\AppData\Local\Temp\
|
||||
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
|
||||
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
|
||||
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
|
||||
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
|
||||
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
|
||||
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
|
||||
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
|
||||
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
|
||||
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
|
||||
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
|
||||
@@ -17030,11 +17031,14 @@ discovery:
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
|
||||
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
|
||||
reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
|
||||
reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
reg save HKLM\Security security.hive
|
||||
reg save HKLM\System system.hive
|
||||
reg save HKLM\SAM sam.hive
|
||||
reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
reg save HKLM\Security $env:USERPROFILE\AppData\Local\Temp\ART1012\security.hive"
|
||||
reg save HKLM\System $env:USERPROFILE\AppData\Local\Temp\ART1012\system.hive"
|
||||
reg save HKLM\SAM $env:USERPROFILE\AppData\Local\Temp\ART1012\sam.hive"
|
||||
cleanup_command: 'rmdir /q /s $env:USERPROFILE\AppData\Local\Temp\ART1012\
|
||||
|
||||
'
|
||||
T1018:
|
||||
technique:
|
||||
x_mitre_data_sources:
|
||||
|
||||
Reference in New Issue
Block a user