Generated docs from job=generate-docs branch=master [ci skip]

2022-10-03 15:43:49 +00:00
parent 5e91e948fc
commit 7e1529fbca
8 changed files with 72 additions and 2 deletions
@@ -1326,6 +1326,7 @@ command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05
 command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
 command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -965,6 +965,7 @@ command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to cop
 command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
@@ -2168,6 +2168,7 @@
  - Atomic Test #26: Download a file using wscript [windows]
  - Atomic Test #27: Linux Download File and Run [linux]
  - Atomic Test #28: Nimgrab - Transfer Files [windows]
+  - Atomic Test #29: iwr or Invoke Web-Request download [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
@@ -1577,6 +1577,7 @@
  - Atomic Test #25: certreq download [windows]
  - Atomic Test #26: Download a file using wscript [windows]
  - Atomic Test #28: Nimgrab - Transfer Files [windows]
+  - Atomic Test #29: iwr or Invoke Web-Request download [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
@@ -94016,6 +94016,32 @@ command-and-control:
          Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab}
          Remove-Item $env:temp\nim
          Remove-Item $env:temp\nim.zip
+    - name: iwr or Invoke Web-Request download
+      auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279
+      description: 'Use ''iwr'' or "Invoke-WebRequest" -URI argument to download a
+        file from the web. Note: without -URI also works in some versions.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: URL of file to copy
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        local_path:
+          description: Local path to place file
+          type: Path
+          default: "%temp%\\Atomic-license.txt"
+      executor:
+        command: 'powershell.exe iwr -URI #{remote_file} -Outfile #{local_path}
+
+          '
+        cleanup_command: 'del %temp%\Atomic-license.txt >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1001.002:
    technique:
      x_mitre_platforms:
@@ -64,6 +64,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co

 - [Atomic Test #28 - Nimgrab - Transfer Files](#atomic-test-28---nimgrab---transfer-files)

+- [Atomic Test #29 - iwr or Invoke Web-Request download](#atomic-test-29---iwr-or-invoke-web-request-download)
+

 <br/>

@@ -1265,4 +1267,42 @@ Remove-Item $env:temp\nim.zip



+<br/>
+<br/>
+
+## Atomic Test #29 - iwr or Invoke Web-Request download
+Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c01cad7f-7a4c-49df-985e-b190dcf6a279
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
+| local_path | Local path to place file | Path | %temp%&#92;Atomic-license.txt|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+powershell.exe iwr -URI #{remote_file} -Outfile #{local_path}
+```
+
+#### Cleanup Commands:
+```cmd
+del %temp%\Atomic-license.txt >nul 2>&1
+```
+
+
+
+
+
 <br/>