security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-12-10 14:18:39 +00:00
parent 0544e5e777
commit 890099be35
4 changed files with 60 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1035/T1035.md
+30 -1
View File
@@ -6,11 +6,13 @@
- [Atomic Test #1 - Execute a Command as a Service](#atomic-test-1---execute-a-command-as-a-service)
- [Atomic Test #2 - Use PsExec to execute a command on a remote host](#atomic-test-2---use-psexec-to-execute-a-command-on-a-remote-host)
<br/>
## Atomic Test #1 - Execute a Command as a Service
Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
**Supported Platforms:** Windows
@@ -30,4 +32,31 @@ sc.exe delete #{service_name}
<br/>
<br/>
## Atomic Test #2 - Use PsExec to execute a command on a remote host
Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments
Will run a command on a remote host
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| psexec_path | Path to PsExec | string | C:\PSTools\PsExec.exe|
| remote_host | Remote hostname or IP address | string | localhost|
#### Run it with `powershell`!
```
#{psexec_path} \\#{remote_host} "C:\Windows\System32\calc.exe"
```
#### Commands to Check Prerequisites:
```
if(Test-Path #{psexec_path}) {0} else {1}
```
<br/>
atomics/index.md
+1
View File
@@ -772,6 +772,7 @@
- Atomic Test #2: Create and Execute Batch Script [windows]
- [T1035 Service Execution](./T1035/T1035.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- [T1218 Signed Binary Proxy Execution](./T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
atomics/index.yaml
+28 -2
View File
@@ -22332,9 +22332,11 @@ execution:
identifier: T1035
atomic_tests:
- name: Execute a Command as a Service
description: "Creates a service specifying an aribrary command and executes
description: 'Creates a service specifying an aribrary command and executes
it. When executing commands such as PowerShell, the service will report that
it did not start correctly even when code executes properly. \n"
it did not start correctly even when code executes properly.
'
supported_platforms:
- windows
input_arguments:
@@ -22354,6 +22356,30 @@ execution:
sc.exe create #{service_name} binPath= #{executable_command}
sc.exe start #{service_name}
sc.exe delete #{service_name}
- name: Use PsExec to execute a command on a remote host
description: |
Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments
Will run a command on a remote host
supported_platforms:
- windows
input_arguments:
psexec_path:
description: Path to PsExec
type: string
default: C:\PSTools\PsExec.exe
remote_host:
description: Remote hostname or IP address
type: string
default: localhost
executor:
name: powershell
elevation_required: false
prereq_command: 'if(Test-Path #{psexec_path}) {0} else {1}
'
command: '#{psexec_path} \\#{remote_host} "C:\Windows\System32\calc.exe"
'
T1218:
technique:
x_mitre_data_sources:
atomics/windows-index.md
+1
View File
@@ -647,6 +647,7 @@
- Atomic Test #2: Create and Execute Batch Script [windows]
- [T1035 Service Execution](./T1035/T1035.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- [T1218 Signed Binary Proxy Execution](./T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]