Generated docs from job=generate-docs branch=master [ci skip]

2025-11-01 01:45:20 +00:00
parent d951b5b4ac
commit 7bf645a086
12 changed files with 272 additions and 34 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1749-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1750-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -2036,6 +2036,7 @@ discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumera
 discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
 discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available on an ESXi Host,4a233a40-caf7-4cf1-890a-c6331bbc72cf,command_prompt
 discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
+discovery,T1083,File and Directory Discovery,9,Recursive Enumerate Files And Directories By Powershell,95a21323-770d-434c-80cd-6f6fbf7af432,powershell
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
@@ -1403,6 +1403,7 @@ discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (Pow
 discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
 discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available on an ESXi Host,4a233a40-caf7-4cf1-890a-c6331bbc72cf,command_prompt
+discovery,T1083,File and Directory Discovery,9,Recursive Enumerate Files And Directories By Powershell,95a21323-770d-434c-80cd-6f6fbf7af432,powershell
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
@@ -2742,6 +2742,7 @@
  - Atomic Test #6: Launch DirLister Executable [windows]
  - Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [windows]
  - Atomic Test #8: Identifying Network Shares - Linux [linux]
+  - Atomic Test #9: Recursive Enumerate Files And Directories By Powershell [windows]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -1941,6 +1941,7 @@
  - Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
  - Atomic Test #6: Launch DirLister Executable [windows]
  - Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [windows]
+  - Atomic Test #9: Recursive Enumerate Files And Directories By Powershell [windows]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -109974,10 +109974,10 @@ discovery:
        name: sh
    - name: Simulating MAZE Directory Enumeration
      auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
-      description: "This test emulates MAZE ransomware's ability to enumerate directories
-        using Powershell. \nUpon successful execution, this test will output the directory
-        enumeration results to a specified file, as well as display them in the active
-        window. \nSee https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents\n"
+      description: |
+        This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
+        Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
+        See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
      supported_platforms:
      - windows
      input_arguments:
@@ -109986,16 +109986,18 @@ discovery:
          type: string
          default: "$env:temp\\T1083Test5.txt"
      executor:
-        command: "$folderarray = @(\"Desktop\", \"Downloads\", \"Documents\", \"AppData/Local\",
-          \"AppData/Roaming\")\nGet-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue
-          | Out-File -append #{File_to_output}\nGet-ChildItem -Path $env:programfiles
-          -erroraction silentlycontinue | Out-File -append #{File_to_output}\nGet-ChildItem
-          -Path \"${env:ProgramFiles(x86)}\" -erroraction silentlycontinue | Out-File
-          -append #{File_to_output}\n$UsersFolder = \"$env:homedrive\\Users\\\"\nforeach
-          ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
-          \n{\nforeach ($secondarydirectory in $folderarray)\n {Get-ChildItem -Path
-          \"$UsersFolder/$directory/$secondarydirectory\" -ErrorAction SilentlyContinue
-          | Out-File -append #{File_to_output}}\n}\ncat #{File_to_output}\n"
+        command: |
+          $folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
+          Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
+          Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
+          Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
+          $UsersFolder = "$env:homedrive\Users\"
+          foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
+          {
+          foreach ($secondarydirectory in $folderarray)
+           {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
+          }
+          cat #{File_to_output}
        cleanup_command: 'remove-item #{File_to_output} -ErrorAction SilentlyContinue

          '
@@ -110092,6 +110094,75 @@ discovery:

          '
        name: sh
+    - name: Recursive Enumerate Files And Directories By Powershell
+      auto_generated_guid: 95a21323-770d-434c-80cd-6f6fbf7af432
+      description: |
+        Adversary attempting to discover and collect sensitive documents and archives
+        from a user’s system. The test recursively enumerates common user folders
+        (Documents, Downloads, Desktop, OneDrive) for file types of interest such as .pdf, .doc,
+        .docx, .xls, .xlsx, .txt, .zip, .rar, and .7z.
+        This behavior is similar to malware like LOSTKEYS used by COLDRIVER in January 2025,
+        where attackers perform targeted file discovery to support strategic intelligence collection https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix.
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_file:
+          description: File to output results.
+          type: string
+          default: "$env:TEMP\\T1083-Enumerate-net.txt"
+      executor:
+        name: powershell
+        command: |
+          $out = "#{output_file}"
+          $dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
+          $exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
+          $userProfile = [Environment]::GetFolderPath('UserProfile')
+          $tr = [System.Collections.Generic.List[string]]::new()
+
+          function MatchesExtension($path) {
+            try {
+              $e = [System.IO.Path]::GetExtension($path).ToLower()
+              return $exts -contains $e
+            } catch { return $false }
+          }
+
+          function Scan-Dir($root) {
+            try {
+              $match = $false
+              foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
+              if (-not $match) { return }
+
+              [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
+                if (MatchesExtension $_) {
+                  $fi = [System.IO.FileInfo]::new($_)
+                  $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
+                }
+              }
+
+              [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
+                Scan-Dir $_
+              }
+            } catch [System.UnauthorizedAccessException] {
+              $tr.Add("[AccessDenied] $root")
+            } catch {
+              $tr.Add("[Error] $root => $($_.Exception.Message)")
+            }
+          }
+
+          [System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }
+
+          # Ensure output dir exists
+          $outDir = [System.IO.Path]::GetDirectoryName($out)
+          if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
+            New-Item -Path $outDir -ItemType Directory -Force | Out-Null
+          }
+
+          # Write results
+          $tr | Out-File -FilePath $out -Encoding UTF8
+          Write-Output "Enumeration complete. Results written to: $out"
+        cleanup_command: 'Remove-Item -Path "#{output_file}" -ErrorAction SilentlyContinue
+
+          '
  T1049:
    technique:
      type: attack-pattern
@@ -90016,10 +90016,10 @@ discovery:
        name: powershell
    - name: Simulating MAZE Directory Enumeration
      auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
-      description: "This test emulates MAZE ransomware's ability to enumerate directories
-        using Powershell. \nUpon successful execution, this test will output the directory
-        enumeration results to a specified file, as well as display them in the active
-        window. \nSee https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents\n"
+      description: |
+        This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
+        Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
+        See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
      supported_platforms:
      - windows
      input_arguments:
@@ -90028,16 +90028,18 @@ discovery:
          type: string
          default: "$env:temp\\T1083Test5.txt"
      executor:
-        command: "$folderarray = @(\"Desktop\", \"Downloads\", \"Documents\", \"AppData/Local\",
-          \"AppData/Roaming\")\nGet-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue
-          | Out-File -append #{File_to_output}\nGet-ChildItem -Path $env:programfiles
-          -erroraction silentlycontinue | Out-File -append #{File_to_output}\nGet-ChildItem
-          -Path \"${env:ProgramFiles(x86)}\" -erroraction silentlycontinue | Out-File
-          -append #{File_to_output}\n$UsersFolder = \"$env:homedrive\\Users\\\"\nforeach
-          ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
-          \n{\nforeach ($secondarydirectory in $folderarray)\n {Get-ChildItem -Path
-          \"$UsersFolder/$directory/$secondarydirectory\" -ErrorAction SilentlyContinue
-          | Out-File -append #{File_to_output}}\n}\ncat #{File_to_output}\n"
+        command: |
+          $folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
+          Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
+          Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
+          Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
+          $UsersFolder = "$env:homedrive\Users\"
+          foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
+          {
+          foreach ($secondarydirectory in $folderarray)
+           {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
+          }
+          cat #{File_to_output}
        cleanup_command: 'remove-item #{File_to_output} -ErrorAction SilentlyContinue

          '
@@ -90122,6 +90124,75 @@ discovery:
          '
        name: command_prompt
        elevation_required: false
+    - name: Recursive Enumerate Files And Directories By Powershell
+      auto_generated_guid: 95a21323-770d-434c-80cd-6f6fbf7af432
+      description: |
+        Adversary attempting to discover and collect sensitive documents and archives
+        from a user’s system. The test recursively enumerates common user folders
+        (Documents, Downloads, Desktop, OneDrive) for file types of interest such as .pdf, .doc,
+        .docx, .xls, .xlsx, .txt, .zip, .rar, and .7z.
+        This behavior is similar to malware like LOSTKEYS used by COLDRIVER in January 2025,
+        where attackers perform targeted file discovery to support strategic intelligence collection https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix.
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_file:
+          description: File to output results.
+          type: string
+          default: "$env:TEMP\\T1083-Enumerate-net.txt"
+      executor:
+        name: powershell
+        command: |
+          $out = "#{output_file}"
+          $dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
+          $exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
+          $userProfile = [Environment]::GetFolderPath('UserProfile')
+          $tr = [System.Collections.Generic.List[string]]::new()
+
+          function MatchesExtension($path) {
+            try {
+              $e = [System.IO.Path]::GetExtension($path).ToLower()
+              return $exts -contains $e
+            } catch { return $false }
+          }
+
+          function Scan-Dir($root) {
+            try {
+              $match = $false
+              foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
+              if (-not $match) { return }
+
+              [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
+                if (MatchesExtension $_) {
+                  $fi = [System.IO.FileInfo]::new($_)
+                  $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
+                }
+              }
+
+              [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
+                Scan-Dir $_
+              }
+            } catch [System.UnauthorizedAccessException] {
+              $tr.Add("[AccessDenied] $root")
+            } catch {
+              $tr.Add("[Error] $root => $($_.Exception.Message)")
+            }
+          }
+
+          [System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }
+
+          # Ensure output dir exists
+          $outDir = [System.IO.Path]::GetDirectoryName($out)
+          if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
+            New-Item -Path $outDir -ItemType Directory -Force | Out-Null
+          }
+
+          # Write results
+          $tr | Out-File -FilePath $out -Encoding UTF8
+          Write-Output "Enumeration complete. Results written to: $out"
+        cleanup_command: 'Remove-Item -Path "#{output_file}" -ErrorAction SilentlyContinue
+
+          '
  T1049:
    technique:
      type: attack-pattern
@@ -28,6 +28,8 @@ Some files and directories may require elevated or specific user permissions to

 - [Atomic Test #8 - Identifying Network Shares - Linux](#atomic-test-8---identifying-network-shares---linux)

+- [Atomic Test #9 - Recursive Enumerate Files And Directories By Powershell](#atomic-test-9---recursive-enumerate-files-and-directories-by-powershell)
+

 <br/>

@@ -196,8 +198,8 @@ rm #{output_file}
 <br/>

 ## Atomic Test #5 - Simulating MAZE Directory Enumeration
-This test emulates MAZE ransomware's ability to enumerate directories using Powershell. 
-Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. 
+This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
+Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
 See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents

 **Supported Platforms:** Windows
@@ -224,7 +226,7 @@ Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -app
 Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
 Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
 $UsersFolder = "$env:homedrive\Users\"
-foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) 
+foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
 {
 foreach ($secondarydirectory in $folderarray)
 {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
@@ -375,4 +377,92 @@ findmnt -t nfs



+<br/>
+<br/>
+
+## Atomic Test #9 - Recursive Enumerate Files And Directories By Powershell
+Adversary attempting to discover and collect sensitive documents and archives
+from a user’s system. The test recursively enumerates common user folders
+(Documents, Downloads, Desktop, OneDrive) for file types of interest such as .pdf, .doc,
+.docx, .xls, .xlsx, .txt, .zip, .rar, and .7z.
+This behavior is similar to malware like LOSTKEYS used by COLDRIVER in January 2025,
+where attackers perform targeted file discovery to support strategic intelligence collection https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 95a21323-770d-434c-80cd-6f6fbf7af432
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | File to output results. | string | $env:TEMP&#92;T1083-Enumerate-net.txt|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$out = "#{output_file}"
+$dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
+$exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
+$userProfile = [Environment]::GetFolderPath('UserProfile')
+$tr = [System.Collections.Generic.List[string]]::new()
+
+function MatchesExtension($path) {
+  try {
+    $e = [System.IO.Path]::GetExtension($path).ToLower()
+    return $exts -contains $e
+  } catch { return $false }
+}
+
+function Scan-Dir($root) {
+  try {
+    $match = $false
+    foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
+    if (-not $match) { return }
+
+    [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
+      if (MatchesExtension $_) {
+        $fi = [System.IO.FileInfo]::new($_)
+        $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
+      }
+    }
+
+    [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
+      Scan-Dir $_
+    }
+  } catch [System.UnauthorizedAccessException] {
+    $tr.Add("[AccessDenied] $root")
+  } catch {
+    $tr.Add("[Error] $root => $($_.Exception.Message)")
+  }
+}
+
+[System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }
+
+# Ensure output dir exists
+$outDir = [System.IO.Path]::GetDirectoryName($out)
+if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
+  New-Item -Path $outDir -ItemType Directory -Force | Out-Null
+}
+
+# Write results
+$tr | Out-File -FilePath $out -Encoding UTF8
+Write-Output "Enumeration complete. Results written to: $out"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "#{output_file}" -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>
@@ -203,6 +203,7 @@ atomic_tests:
      findmnt -t nfs
    name: sh
 - name: Recursive Enumerate Files And Directories By Powershell
+  auto_generated_guid: 95a21323-770d-434c-80cd-6f6fbf7af432
  description: |
    Adversary attempting to discover and collect sensitive documents and archives
    from a user’s system. The test recursively enumerates common user folders
@@ -1772,3 +1772,4 @@ d9efa6c7-6518-42b2-809a-4f2a8e242b9b
 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
 a9604672-cd46-493b-b58f-fd4124c22dd3
 22386853-f68d-4b50-a362-de235127c443
+95a21323-770d-434c-80cd-6f6fbf7af432