Generated docs from job=generate-docs branch=master [ci skip]

2023-03-16 23:41:15 +00:00
parent d62766548b
commit 8025353c3d
9 changed files with 118 additions and 2 deletions
@@ -1182,6 +1182,7 @@ discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b67
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
 discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
+discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
 discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
@@ -836,6 +836,7 @@ discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
 discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
+discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
 discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
@@ -1898,6 +1898,7 @@
  - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
  - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
  - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
+  - Atomic Test #6: System Discovery - SocGholish whoami [windows]
 - [T1613 Container and Resource Discovery](../../T1613/T1613.md)
  - Atomic Test #1: Container and ResourceDiscovery [containers]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1369,6 +1369,7 @@
  - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
  - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
  - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
+  - Atomic Test #6: System Discovery - SocGholish whoami [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1615 Group Policy Discovery](../../T1615/T1615.md)
@@ -84572,6 +84572,36 @@ discovery:
          -FilePath .\\CurrentUserObject.txt\n"
        cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force

+          '
+        name: powershell
+    - name: System Discovery - SocGholish whoami
+      auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+      description: "SocGholish performs whoami discovery commands and outputs the
+        results to a tmp file. \nThe test will generate a filename similar to the
+        random one generated during execution and write the file to AppData\\Temp.\n\nReference:
+        https://redcanary.com/threat-detection-report/threats/socgholish/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Location of output file
+          type: string
+          default: "$env:temp"
+      executor:
+        command: |
+          $TokenSet = @{
+            U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+            N = [Char[]]'0123456789'
+          }
+          $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+          $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+          $StringSet = $Upper + $Number
+          $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+          $file = "rad" + $rad + ".tmp"
+
+          whoami.exe /all >> #{output_path}\$file
+        cleanup_command: 'Remove-Item -Path $env:temp\rad*.tmp -Force
+
          '
        name: powershell
  T1613:
@@ -73711,6 +73711,36 @@ discovery:
          -FilePath .\\CurrentUserObject.txt\n"
        cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force

+          '
+        name: powershell
+    - name: System Discovery - SocGholish whoami
+      auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+      description: "SocGholish performs whoami discovery commands and outputs the
+        results to a tmp file. \nThe test will generate a filename similar to the
+        random one generated during execution and write the file to AppData\\Temp.\n\nReference:
+        https://redcanary.com/threat-detection-report/threats/socgholish/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Location of output file
+          type: string
+          default: "$env:temp"
+      executor:
+        command: |
+          $TokenSet = @{
+            U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+            N = [Char[]]'0123456789'
+          }
+          $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+          $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+          $StringSet = $Upper + $Number
+          $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+          $file = "rad" + $rad + ".tmp"
+
+          whoami.exe /all >> #{output_path}\$file
+        cleanup_command: 'Remove-Item -Path $env:temp\rad*.tmp -Force
+
          '
        name: powershell
  T1613:
@@ -16,6 +16,8 @@ Various utilities and commands may acquire this information, including <code>who

 - [Atomic Test #5 - GetCurrent User with PowerShell Script](#atomic-test-5---getcurrent-user-with-powershell-script)

+- [Atomic Test #6 - System Discovery - SocGholish whoami](#atomic-test-6---system-discovery---socgholish-whoami)
+

 <br/>

@@ -185,4 +187,54 @@ Remove-Item -Path .\CurrentUserObject.txt -Force



+<br/>
+<br/>
+
+## Atomic Test #6 - System Discovery - SocGholish whoami
+SocGholish performs whoami discovery commands and outputs the results to a tmp file. 
+The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.
+
+Reference: https://redcanary.com/threat-detection-report/threats/socgholish/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_path | Location of output file | string | $env:temp|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$TokenSet = @{
+  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+  N = [Char[]]'0123456789'
+}
+$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+$Number = Get-Random -Count 5 -InputObject $TokenSet.N
+$StringSet = $Upper + $Number
+$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+$file = "rad" + $rad + ".tmp"
+
+whoami.exe /all >> #{output_path}\$file
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path $env:temp\rad*.tmp -Force
+```
+
+
+
+
+
 <br/>