Generated docs from job=generate-docs branch=master [ci skip]

2024-11-15 19:47:03 +00:00
parent a4f082e118
commit 7e167eed39
12 changed files with 124 additions and 3 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1662-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1663-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -158,6 +158,7 @@ defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution -
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
 defense-evasion,T1202,Indirect Command Execution,4,Indirect Command Execution - Scriptrunner.exe,0fd14730-6226-4f5e-8d67-43c65f1be940,powershell
+defense-evasion,T1202,Indirect Command Execution,5,Indirect Command Execution - RunMRU Dialog,de323a93-2f18-4bd5-ba60-d6fca6aeff76,powershell
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
@@ -94,6 +94,7 @@ defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution -
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
 defense-evasion,T1202,Indirect Command Execution,4,Indirect Command Execution - Scriptrunner.exe,0fd14730-6226-4f5e-8d67-43c65f1be940,powershell
+defense-evasion,T1202,Indirect Command Execution,5,Indirect Command Execution - RunMRU Dialog,de323a93-2f18-4bd5-ba60-d6fca6aeff76,powershell
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
@@ -205,6 +205,7 @@
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
  - Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
  - Atomic Test #4: Indirect Command Execution - Scriptrunner.exe [windows]
+  - Atomic Test #5: Indirect Command Execution - RunMRU Dialog [windows]
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
  - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
  - Atomic Test #2: Certutil Rename and Decode [windows]
@@ -130,6 +130,7 @@
  - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
  - Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
  - Atomic Test #4: Indirect Command Execution - Scriptrunner.exe [windows]
+  - Atomic Test #5: Indirect Command Execution - RunMRU Dialog [windows]
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
  - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
  - Atomic Test #2: Certutil Rename and Decode [windows]
@@ -7896,6 +7896,38 @@ defense-evasion:
        cleanup_command: 
        name: powershell
        elevation_required: false
+    - name: Indirect Command Execution - RunMRU Dialog
+      auto_generated_guid: de323a93-2f18-4bd5-ba60-d6fca6aeff76
+      description: "Simulates execution of commands via the Windows Run dialog (Win+R)
+        by programmatically opening the Run dialog, \ncopying a command to clipboard,
+        and automating the paste and execution. This generates artifacts in the RunMRU
+        registry key,\nwhich is commonly abused by threat actors to execute malicious
+        commands disguised as CAPTCHA verification steps.\nUpon execution, a test
+        PowerShell command will be executed through the Run dialog.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to execute via Run dialog
+          type: string
+          default: calc.exe
+      executor:
+        name: powershell
+        command: |
+          # Copy command to clipboard
+          Set-Clipboard -Value '#{command}'
+
+          # Open Run dialog
+          Start-Process -FilePath "powershell" -ArgumentList "-c (New-Object -ComObject 'Shell.Application').FileRun()" -WindowStyle Hidden
+
+          # Wait for Run dialog to open
+          Start-Sleep -Seconds 1
+
+          # Paste command and execute
+          Add-Type -AssemblyName System.Windows.Forms
+          [System.Windows.Forms.SendKeys]::SendWait('^v')
+          Start-Sleep -Milliseconds 500
+          [System.Windows.Forms.SendKeys]::SendWait('{ENTER}')
  T1140:
    technique:
      modified: '2023-08-14T19:28:18.334Z'
@@ -6218,6 +6218,38 @@ defense-evasion:
        cleanup_command: 
        name: powershell
        elevation_required: false
+    - name: Indirect Command Execution - RunMRU Dialog
+      auto_generated_guid: de323a93-2f18-4bd5-ba60-d6fca6aeff76
+      description: "Simulates execution of commands via the Windows Run dialog (Win+R)
+        by programmatically opening the Run dialog, \ncopying a command to clipboard,
+        and automating the paste and execution. This generates artifacts in the RunMRU
+        registry key,\nwhich is commonly abused by threat actors to execute malicious
+        commands disguised as CAPTCHA verification steps.\nUpon execution, a test
+        PowerShell command will be executed through the Run dialog.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to execute via Run dialog
+          type: string
+          default: calc.exe
+      executor:
+        name: powershell
+        command: |
+          # Copy command to clipboard
+          Set-Clipboard -Value '#{command}'
+
+          # Open Run dialog
+          Start-Process -FilePath "powershell" -ArgumentList "-c (New-Object -ComObject 'Shell.Application').FileRun()" -WindowStyle Hidden
+
+          # Wait for Run dialog to open
+          Start-Sleep -Seconds 1
+
+          # Paste command and execute
+          Add-Type -AssemblyName System.Windows.Forms
+          [System.Windows.Forms.SendKeys]::SendWait('^v')
+          Start-Sleep -Milliseconds 500
+          [System.Windows.Forms.SendKeys]::SendWait('{ENTER}')
  T1140:
    technique:
      modified: '2023-08-14T19:28:18.334Z'
@@ -14,6 +14,8 @@ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.

 - [Atomic Test #4 - Indirect Command Execution - Scriptrunner.exe](#atomic-test-4---indirect-command-execution---scriptrunnerexe)

+- [Atomic Test #5 - Indirect Command Execution - RunMRU Dialog](#atomic-test-5---indirect-command-execution---runmru-dialog)
+

 <br/>

@@ -156,4 +158,53 @@ Scriptrunner.exe -appvscript "#{payload_path}"



+<br/>
+<br/>
+
+## Atomic Test #5 - Indirect Command Execution - RunMRU Dialog
+Simulates execution of commands via the Windows Run dialog (Win+R) by programmatically opening the Run dialog, 
+copying a command to clipboard, and automating the paste and execution. This generates artifacts in the RunMRU registry key,
+which is commonly abused by threat actors to execute malicious commands disguised as CAPTCHA verification steps.
+Upon execution, a test PowerShell command will be executed through the Run dialog.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** de323a93-2f18-4bd5-ba60-d6fca6aeff76
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to execute via Run dialog | string | calc.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+# Copy command to clipboard
+Set-Clipboard -Value '#{command}'
+
+# Open Run dialog
+Start-Process -FilePath "powershell" -ArgumentList "-c (New-Object -ComObject 'Shell.Application').FileRun()" -WindowStyle Hidden
+
+# Wait for Run dialog to open
+Start-Sleep -Seconds 1
+
+# Paste command and execute
+Add-Type -AssemblyName System.Windows.Forms
+[System.Windows.Forms.SendKeys]::SendWait('^v')
+Start-Sleep -Milliseconds 500
+[System.Windows.Forms.SendKeys]::SendWait('{ENTER}')
+```
+
+
+
+
+
+
 <br/>
@@ -76,6 +76,7 @@ atomic_tests:
    name: powershell
    elevation_required: false
 - name: Indirect Command Execution - RunMRU Dialog
+  auto_generated_guid: de323a93-2f18-4bd5-ba60-d6fca6aeff76
  description: |
    Simulates execution of commands via the Windows Run dialog (Win+R) by programmatically opening the Run dialog, 
    copying a command to clipboard, and automating the paste and execution. This generates artifacts in the RunMRU registry key,
@@ -1691,3 +1691,4 @@ bc177ef9-6a12-4ebc-a2ec-d41e19c2791d
 ce479c1a-e8fa-42b2-812a-96b0f2f4d28a
 c187c9bc-4511-40b3-aa10-487b2c70b6a5
 5c876daf-db1e-41cf-988d-139a7443ccd4
+de323a93-2f18-4bd5-ba60-d6fca6aeff76