From 8243dfedec35aa8b00e9bc9df3d086d18e24004a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 13 Dec 2018 16:06:56 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1007/T1007.md | 20 ++++++++++++++++++++ atomics/index.md | 1 + atomics/index.yaml | 17 +++++++++++++++++ atomics/windows-index.md | 1 + 4 files changed, 39 insertions(+) diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md index 721c6c36..ebad1753 100644 --- a/atomics/T1007/T1007.md +++ b/atomics/T1007/T1007.md @@ -6,6 +6,8 @@ - [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery) +- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe) +
@@ -30,3 +32,21 @@ sc stop #{service_name} wmic service where (displayname like "#{service_name}") get name ```
+
+ +## Atomic Test #2 - System Service Discovery - net.exe +Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt| + +#### Run it with `command_prompt`! +``` +net.exe start >> #{output_file} +``` +
diff --git a/atomics/index.md b/atomics/index.md index 11b6b8af..fe2c56d4 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -455,6 +455,7 @@ - Atomic Test #2: System Owner/User Discovery [linux, macos] - [T1007 System Service Discovery](./T1007/T1007.md) - Atomic Test #1: System Service Discovery [windows] + - Atomic Test #2: System Service Discovery - net.exe [windows] - [T1124 System Time Discovery](./T1124/T1124.md) - Atomic Test #1: System Time Discovery [windows] - Atomic Test #2: System Time Discovery - PowerShell [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index b1f617e8..90b77a46 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -12452,6 +12452,23 @@ discovery: sc start #{service_name} sc stop #{service_name} wmic service where (displayname like "#{service_name}") get name + - name: System Service Discovery - net.exe + description: 'Enumerates started system services using net.exe and writes them + to a file. This technique has been used by multiple threat actors. + +' + supported_platforms: + - windows + input_arguments: + output_file: + description: Path of file to hold net.exe output + type: Path + default: C:\Windows\Temp\service-list.txt + executor: + name: command_prompt + command: 'net.exe start >> #{output_file} + +' T1124: technique: id: attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077 diff --git a/atomics/windows-index.md b/atomics/windows-index.md index f6796ede..e96ce6c5 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -308,6 +308,7 @@ - Atomic Test #1: System Owner/User Discovery [windows] - [T1007 System Service Discovery](./T1007/T1007.md) - Atomic Test #1: System Service Discovery [windows] + - Atomic Test #2: System Service Discovery - net.exe [windows] - [T1124 System Time Discovery](./T1124/T1124.md) - Atomic Test #1: System Time Discovery [windows] - Atomic Test #2: System Time Discovery - PowerShell [windows]