Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-02-15 20:23:40 +00:00
parent 1bdc7b2855
commit 822dcbdb0e
6 changed files with 99 additions and 0 deletions
@@ -564,6 +564,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downlo
 defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
@@ -385,6 +385,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downlo
 defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
@@ -886,6 +886,7 @@
  - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
  - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
  - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
+  - Atomic Test #9: DiskShadow Command Execution [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
  - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
  - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -632,6 +632,7 @@
  - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
  - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
  - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
+  - Atomic Test #9: DiskShadow Command Execution [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
  - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
  - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -37523,6 +37523,43 @@ defense-evasion:
        command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name}
          -ModulePath #{module_path}'
        name: powershell
+    - name: DiskShadow Command Execution
+      auto_generated_guid: 0e1483ba-8f0c-425d-b8c6-42736e058eaa
+      description: 'Emulates attack with a DiskShadow.exe (LOLBIN installed by default
+        on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        txt_payload:
+          description: txt to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218\src\T1218.txt
+        dspath:
+          description: Default location of DiskShadow.exe
+          type: Path
+          default: C:\Windows\System32\diskshadow.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: txt file must exist on disk at specified location (#{txt_payload})
+        prereq_command: 'if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
+      - description: DiskShadow.exe must exist on disk at specified location (#{dspath})
+        prereq_command: 'if (Test-Path #{dspath}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'echo "DiskShadow.exe not found on disk at expected location"
+
+'
+      executor:
+        command: "#{dspath} -S #{txt_payload} \n"
+        name: powershell
+        elevation_required: false
  T1216:
    technique:
      id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe
@@ -20,6 +20,8 @@

 - [Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test](#atomic-test-8---invoke-athremotefxvgpudisablementcommand-base-test)

+- [Atomic Test #9 - DiskShadow Command Execution](#atomic-test-9---diskshadow-command-execution)
+

 <br/>

@@ -392,4 +394,60 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force



+<br/>
+<br/>
+
+## Atomic Test #9 - DiskShadow Command Execution
+Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0e1483ba-8f0c-425d-b8c6-42736e058eaa
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| txt_payload | txt to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;T1218.txt|
+| dspath | Default location of DiskShadow.exe | Path | C:&#92;Windows&#92;System32&#92;diskshadow.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+#{dspath} -S #{txt_payload}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: txt file must exist on disk at specified location (#{txt_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
+```
+##### Description: DiskShadow.exe must exist on disk at specified location (#{dspath})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dspath}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+echo "DiskShadow.exe not found on disk at expected location"
+```
+
+
+
+
 <br/>