From 7232ea17890d64363619a160b445593ff98b6ac6 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 3 Dec 2019 19:45:46 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1012/T1012.md | 23 ++++++++++++++--------- atomics/index.yaml | 22 +++++++++++++--------- 2 files changed, 27 insertions(+), 18 deletions(-) diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md index df2a776b..4dde0dc5 100644 --- a/atomics/T1012/T1012.md +++ b/atomics/T1012/T1012.md @@ -30,15 +30,16 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_ #### Run it with `command_prompt`! Elevation Required (e.g. root or admin) ``` +powershell.exe New-Item -ItemType Directory -Name ART1012 -Path $env:USERPROFILE\AppData\Local\Temp\ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices -reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify -reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit -reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell +reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" +reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" +reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" +reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx @@ -47,13 +48,17 @@ reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run -reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$" -reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run -reg save HKLM\Security security.hive -reg save HKLM\System system.hive -reg save HKLM\SAM sam.hive +reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$" +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run +reg save HKLM\Security $env:USERPROFILE\AppData\Local\Temp\ART1012\security.hive" +reg save HKLM\System $env:USERPROFILE\AppData\Local\Temp\ART1012\system.hive" +reg save HKLM\SAM $env:USERPROFILE\AppData\Local\Temp\ART1012\sam.hive" ``` +#### Cleanup Commands: +``` +rmdir /q /s $env:USERPROFILE\AppData\Local\Temp\ART1012\ +```
diff --git a/atomics/index.yaml b/atomics/index.yaml index 92d07922..45f0c0df 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -17013,15 +17013,16 @@ discovery: name: command_prompt elevation_required: true command: | + powershell.exe New-Item -ItemType Directory -Name ART1012 -Path $env:USERPROFILE\AppData\Local\Temp\ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices - reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify - reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit - reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell - reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell + reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" + reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" + reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" + reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx @@ -17030,11 +17031,14 @@ discovery: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$" - reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run - reg save HKLM\Security security.hive - reg save HKLM\System system.hive - reg save HKLM\SAM sam.hive + reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$" + reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run + reg save HKLM\Security $env:USERPROFILE\AppData\Local\Temp\ART1012\security.hive" + reg save HKLM\System $env:USERPROFILE\AppData\Local\Temp\ART1012\system.hive" + reg save HKLM\SAM $env:USERPROFILE\AppData\Local\Temp\ART1012\sam.hive" + cleanup_command: 'rmdir /q /s $env:USERPROFILE\AppData\Local\Temp\ART1012\ + +' T1018: technique: x_mitre_data_sources: