Generate docs from job=validate_atomics_generate_docs branch=oscd

2020-10-24 14:23:47 +00:00
parent e0495296ac
commit 83ebbf049d
12 changed files with 86 additions and 7 deletions
@@ -127,6 +127,7 @@ persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a
 persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
 persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
+persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
 persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
@@ -237,6 +237,7 @@ persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-4
 persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
 persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
+persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
 persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -275,7 +275,8 @@
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.002 Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1137.002 Office Test](../../T1137.002/T1137.002.md)
+  - Atomic Test #1: Office Apllication Startup Test Persistence [windows]
 - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -456,7 +456,8 @@
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.002 Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1137.002 Office Test](../../T1137.002/T1137.002.md)
+  - Atomic Test #1: Office Apllication Startup Test Persistence [windows]
 - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -58,7 +58,7 @@
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
-|  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
+|  |  | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  |  |  |
 |  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
 |  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -41,7 +41,7 @@
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Office Test](../../T1137.002/T1137.002.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
@@ -13196,7 +13196,30 @@ persistence:
      x_mitre_platforms:
      - Windows
      - Office 365
-    atomic_tests: []
+      identifier: T1137.002
+    atomic_tests:
+    - name: Office Apllication Startup Test Persistence
+      auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563
+      description: |
+        Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office
+        application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives.
+      supported_platforms:
+      - windows
+      input_arguments:
+        thing_to_execute:
+          description: Thing to Run
+          type: Path
+          default: C:\Path\AtomicRedTeam.dll
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf"
+          /t REG_SZ /d "#{thing_to_execute}"
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office
+          test\Special\Perf"
+
+'
+        name: command_prompt
  T1137.003:
    technique:
      external_references:
@@ -0,0 +1,50 @@
+# T1137.002 - Office Test
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1137.002)
+<blockquote>Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
+
+There exist user and global Registry keys for the Office Test feature:
+
+* <code>HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf</code>
+* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf</code>
+
+Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Office Apllication Startup Test Persistence](#atomic-test-1---office-apllication-startup-test-persistence)
+
+
+<br/>
+
+## Atomic Test #1 - Office Apllication Startup Test Persistence
+Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office
+application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| thing_to_execute | Thing to Run | Path | C:&#92;Path&#92;AtomicRedTeam.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}"
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf"
+```
+
+
+
+
+
+<br/>
@@ -2,6 +2,7 @@ attack_technique: T1137.002
 display_name: 'Office Application Startup: Office Test'
 atomic_tests:
 - name: Office Apllication Startup Test Persistence
+  auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563
  description: |
    Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office
    application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives.
@@ -584,3 +584,4 @@ fcec2963-9951-4173-9bfa-98d8b7834e62
 dc7726d2-8ccb-4cc6-af22-0d5afb53a548
 3c898f62-626c-47d5-aad2-6de873d69153
 cf3391e0-b482-4b02-87fc-ca8362269b29
+c3e35b58-fe1c-480b-b540-7600fb612563