Generate docs from job=validate_atomics_generate_docs branch=master

2019-09-03 13:37:19 +00:00
parent c0405724ec
commit 84de04b082
9 changed files with 30 additions and 98 deletions
@@ -6,8 +6,6 @@

 - [Atomic Test #1 - Persistence](#atomic-test-1---persistence)

- [Atomic Test #2 - Persistence Cleanup](#atomic-test-2---persistence-cleanup)
-

 <br/>

@@ -45,23 +43,7 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa
 ```


-
-<br/>
-<br/>
-
-## Atomic Test #2 - Persistence Cleanup
-Run from an administrator powershell window
-
-Code references
-
-https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
-
-https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
-
-**Supported Platforms:** Windows
-
-
-#### Run it with `powershell`! 
+#### Cleanup Commands:
 ```
 $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
 $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
@@ -72,6 +54,4 @@ $EventConsumerToCleanup | Remove-WmiObject
 $EventFilterToCleanup | Remove-WmiObject
 ```

-
-
 <br/>
@@ -16,10 +16,6 @@ The network may be within a single organization or across organizations with tru
 ## Atomic Test #1 - Connection Proxy
 Enable traffic redirection.

-To undo changes made by this test:
-  unset http_proxy
-  unset https_proxy
-
 Note that this test may conflict with pre-existing system configuration.

 **Supported Platforms:** macOS, Linux
@@ -37,5 +33,10 @@ export #{proxy_scheme}_proxy=#{proxy_server}
 ```


+#### Cleanup Commands:
+```
+unset http_proxy
+unset https_proxy
+```

 <br/>
@@ -19,9 +19,12 @@ Hijack COM Object used by certutil.exe
 ```
 reg import ..\src\COMHijack.reg
 certutil.exe -CAInfo
-reg import ..\src\COMHijackCleanup.reg
 ```


+#### Cleanup Commands:
+```
+reg import ..\src\COMHijackCleanup.reg
+```

 <br/>
@@ -45,11 +45,13 @@ Establish persistence via a rule run by emond daemon at startup, based on https:
 ```
 sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
 sudo touch /private/var/db/emondClients/T1165
-#Clean up
+```
+
+
+#### Cleanup Commands:
+```
 sudo rm /etc/emond.d/rules/T1165_emond.plist
 sudo rm /private/var/db/emondClients/T1165
 ```

-
-
 <br/>
@@ -16,8 +16,6 @@ While adversaries typically require root privileges to create/modify service uni

 - [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service)

- [Atomic Test #2 - Cleanup Systemd Test](#atomic-test-2---cleanup-systemd-test)
-

 <br/>

@@ -61,23 +59,7 @@ systemctl start #{systemd_service_file}
 ```


-
-<br/>
-<br/>
-
-## Atomic Test #2 - Cleanup Systemd Test
-This cleans up the remnants of the SystemD service unit file creation test.
-
-**Supported Platforms:** Linux
-
-
-#### Inputs
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| systemd_service_path | Path to systemd service unit file | Path | /etc/systemd/system|
-| systemd_service_file | File name of systemd service unit file | String | art-systemd-service.service|
-
-#### Run it with `bash`! 
+#### Cleanup Commands:
 ```
 systemctl stop #{systemd_service_file}
 systemctl disable #{systemd_service_file}
@@ -85,6 +67,4 @@ rm -rf #{systemd_service_path}/#{systemd_service_file}
 systemctl daemon-reload
 ```

-
-
 <br/>
@@ -126,7 +126,6 @@
 - T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1501 Systemd Service](./T1501/T1501.md)
  - Atomic Test #1: Create Systemd Service [linux]
-  - Atomic Test #2: Cleanup Systemd Test [linux]
 - T1209 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1154 Trap](./T1154/T1154.md)
  - Atomic Test #1: Trap [macos, centos, ubuntu, linux]
@@ -135,7 +134,6 @@
  - Atomic Test #1: Web Shell Written to Disk [windows]
 - [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
  - Atomic Test #1: Persistence [windows]
-  - Atomic Test #2: Persistence Cleanup [windows]
 - [T1004 Winlogon Helper DLL](./T1004/T1004.md)
  - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
  - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
@@ -1131,7 +1131,9 @@ persistence:
        command: |
          reg import ..\src\COMHijack.reg
          certutil.exe -CAInfo
-          reg import ..\src\COMHijackCleanup.reg
+        cleanup_command: 'reg import ..\src\COMHijackCleanup.reg
+
+'
  T1136:
    technique:
      external_references:
@@ -3758,7 +3760,7 @@ persistence:
        command: |
          sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
          sudo touch /private/var/db/emondClients/T1165
-          #Clean up
+        cleanup_command: |
          sudo rm /etc/emond.d/rules/T1165_emond.plist
          sudo rm /private/var/db/emondClients/T1165
  T1501:
@@ -3915,25 +3917,7 @@ persistence:
          systemctl daemon-reload
          systemctl enable #{systemd_service_file}
          systemctl start #{systemd_service_file}
-    - name: Cleanup Systemd Test
-      description: 'This cleans up the remnants of the SystemD service unit file creation
-        test.
-
-'
-      supported_platforms:
-      - linux
-      input_arguments:
-        systemd_service_path:
-          description: Path to systemd service unit file
-          type: Path
-          default: "/etc/systemd/system"
-        systemd_service_file:
-          description: File name of systemd service unit file
-          type: String
-          default: art-systemd-service.service
-      executor:
-        name: bash
-        command: |
+        cleanup_command: |
          systemctl stop #{systemd_service_file}
          systemctl disable #{systemd_service_file}
          rm -rf #{systemd_service_path}/#{systemd_service_file}
@@ -4149,8 +4133,7 @@ persistence:
      executor:
        name: powershell
        elevation_required: true
-        command: |2
-
+        command: |
          $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
                          EventNameSpace='root\CimV2';
                          QueryLanguage="WQL";
@@ -4166,21 +4149,7 @@ persistence:
          Consumer = [Ref] $Consumer;
          }
          $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
-    - name: Persistence Cleanup
-      description: |
-        Run from an administrator powershell window
-
-        Code references
-
-        https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
-
-        https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
-      supported_platforms:
-      - windows
-      executor:
-        name: powershell
-        command: |2
-
+        cleanup_command: |
          $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
          $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
          $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
@@ -5324,7 +5293,9 @@ defense-evasion:
        command: |
          reg import ..\src\COMHijack.reg
          certutil.exe -CAInfo
-          reg import ..\src\COMHijackCleanup.reg
+        cleanup_command: 'reg import ..\src\COMHijackCleanup.reg
+
+'
  T1196:
    technique:
      external_references:
@@ -11941,7 +11912,7 @@ privilege-escalation:
        command: |
          sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
          sudo touch /private/var/db/emondClients/T1165
-          #Clean up
+        cleanup_command: |
          sudo rm /etc/emond.d/rules/T1165_emond.plist
          sudo rm /private/var/db/emondClients/T1165
  T1169:
@@ -21188,10 +21159,6 @@ command-and-control:
      description: |
        Enable traffic redirection.

-        To undo changes made by this test:
-          unset http_proxy
-          unset https_proxy
-
        Note that this test may conflict with pre-existing system configuration.
      supported_platforms:
      - macos
@@ -21210,6 +21177,9 @@ command-and-control:
        command: 'export #{proxy_scheme}_proxy=#{proxy_server}

 '
+        cleanup_command: |-
+          unset http_proxy
+          unset https_proxy
  T1132:
    technique:
      external_references:
@@ -29,7 +29,6 @@
  - Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
 - [T1501 Systemd Service](./T1501/T1501.md)
  - Atomic Test #1: Create Systemd Service [linux]
-  - Atomic Test #2: Cleanup Systemd Test [linux]
 - [T1154 Trap](./T1154/T1154.md)
  - Atomic Test #1: Trap [macos, centos, ubuntu, linux]
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -272,7 +272,6 @@
  - Atomic Test #1: Web Shell Written to Disk [windows]
 - [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
  - Atomic Test #1: Persistence [windows]
-  - Atomic Test #2: Persistence Cleanup [windows]
 - [T1004 Winlogon Helper DLL](./T1004/T1004.md)
  - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
  - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]