Generated docs from job=generate-docs branch=master [ci skip]

2025-01-12 22:31:02 +00:00
parent 1790286330
commit 908abd7bf6
12 changed files with 203 additions and 5 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1699-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1701-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -1942,6 +1942,8 @@ discovery,T1614.001,System Location Discovery: System Language Discovery,5,Disco
 discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
 discovery,T1614.001,System Location Discovery: System Language Discovery,7,Discover System Language with dism.exe,69f625ba-938f-4900-bdff-82ada3df5d9c,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,8,Discover System Language by Windows API Query,e39b99e9-ce7f-4b24-9c88-0fbad069e6c6,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,9,Discover System Language with WMIC,4758003d-db14-4959-9c0f-9e87558ac69e,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,10,Discover System Language with Powershell,1f23bfe8-36d4-49ce-903a-19a1e8c6631b,powershell
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
@@ -1317,6 +1317,8 @@ discovery,T1614.001,System Location Discovery: System Language Discovery,1,Disco
 discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,7,Discover System Language with dism.exe,69f625ba-938f-4900-bdff-82ada3df5d9c,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,8,Discover System Language by Windows API Query,e39b99e9-ce7f-4b24-9c88-0fbad069e6c6,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,9,Discover System Language with WMIC,4758003d-db14-4959-9c0f-9e87558ac69e,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,10,Discover System Language with Powershell,1f23bfe8-36d4-49ce-903a-19a1e8c6631b,powershell
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
@@ -2638,6 +2638,8 @@
  - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
  - Atomic Test #7: Discover System Language with dism.exe [windows]
  - Atomic Test #8: Discover System Language by Windows API Query [windows]
+  - Atomic Test #9: Discover System Language with WMIC [windows]
+  - Atomic Test #10: Discover System Language with Powershell [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
  - Atomic Test #1: Query Registry [windows]
  - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
@@ -1851,6 +1851,8 @@
  - Atomic Test #2: Discover System Language with chcp [windows]
  - Atomic Test #7: Discover System Language with dism.exe [windows]
  - Atomic Test #8: Discover System Language by Windows API Query [windows]
+  - Atomic Test #9: Discover System Language with WMIC [windows]
+  - Atomic Test #10: Discover System Language with Powershell [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
  - Atomic Test #1: Query Registry [windows]
  - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
@@ -107272,7 +107272,59 @@ discovery:
      executor:
        name: command_prompt
        elevation_required: false
-        command: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
+        command: 'PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
+
+          '
+    - name: Discover System Language with WMIC
+      auto_generated_guid: 4758003d-db14-4959-9c0f-9e87558ac69e
+      description: "WMIC (Windows Management Instrumentation Command-line) is a command-line
+        tool that provides a simplified interface to query and manage Windows system
+        configurations, processes, and hardware information using WMI. \n\nThe command
+        in this test retrieves information about the system's locale, operating system
+        language, and multilingual user interface (MUI) languages.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        target_host:
+          description: "The host that will be queried.\n\nIf the host contains special
+            characters, it may need to be wrapped in double quotes or double + single
+            quotes. \n\nFor example: \"DESKTOP-123\" or \"'DESKTOP-123'\".\n"
+          type: string
+          default: localhost
+        format_style:
+          description: You can specify multipe output formats for wmic such as table,
+            list and csv.
+          type: string
+          default: table
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'wmic /node:#{target_host} os get Locale,OSLanguage,MUILanguages
+          /format:#{format_style}
+
+          '
+    - name: Discover System Language with Powershell
+      auto_generated_guid: 1f23bfe8-36d4-49ce-903a-19a1e8c6631b
+      description: "This PowerShell script collects key system settings, such as the
+        UI language, user language preferences, system locale, current culture, UI
+        culture, and time zone, into a hash table. \n\nIt then outputs these settings
+        in a readable key-value format directly to the terminal. The script is simple
+        and efficient for quickly displaying system configuration details.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |-
+          $info = @{
+            UILanguage     = Get-WinUILanguageOverride
+            UserLanguages  = (Get-WinUserLanguageList).LanguageTag -join ', '
+            SystemLocale   = Get-WinSystemLocale
+            CurrentCulture = [System.Globalization.CultureInfo]::CurrentCulture.Name
+            CurrentUICulture = [System.Globalization.CultureInfo]::CurrentUICulture.Name
+            TimeZone       = (Get-TimeZone).Id
+          }
+          $info.GetEnumerator() | ForEach-Object { "$($_.Name): $($_.Value)" }
  T1012:
    technique:
      modified: '2023-04-03T18:56:37.011Z'
@@ -87958,7 +87958,59 @@ discovery:
      executor:
        name: command_prompt
        elevation_required: false
-        command: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
+        command: 'PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
+
+          '
+    - name: Discover System Language with WMIC
+      auto_generated_guid: 4758003d-db14-4959-9c0f-9e87558ac69e
+      description: "WMIC (Windows Management Instrumentation Command-line) is a command-line
+        tool that provides a simplified interface to query and manage Windows system
+        configurations, processes, and hardware information using WMI. \n\nThe command
+        in this test retrieves information about the system's locale, operating system
+        language, and multilingual user interface (MUI) languages.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        target_host:
+          description: "The host that will be queried.\n\nIf the host contains special
+            characters, it may need to be wrapped in double quotes or double + single
+            quotes. \n\nFor example: \"DESKTOP-123\" or \"'DESKTOP-123'\".\n"
+          type: string
+          default: localhost
+        format_style:
+          description: You can specify multipe output formats for wmic such as table,
+            list and csv.
+          type: string
+          default: table
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'wmic /node:#{target_host} os get Locale,OSLanguage,MUILanguages
+          /format:#{format_style}
+
+          '
+    - name: Discover System Language with Powershell
+      auto_generated_guid: 1f23bfe8-36d4-49ce-903a-19a1e8c6631b
+      description: "This PowerShell script collects key system settings, such as the
+        UI language, user language preferences, system locale, current culture, UI
+        culture, and time zone, into a hash table. \n\nIt then outputs these settings
+        in a readable key-value format directly to the terminal. The script is simple
+        and efficient for quickly displaying system configuration details.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |-
+          $info = @{
+            UILanguage     = Get-WinUILanguageOverride
+            UserLanguages  = (Get-WinUserLanguageList).LanguageTag -join ', '
+            SystemLocale   = Get-WinSystemLocale
+            CurrentCulture = [System.Globalization.CultureInfo]::CurrentCulture.Name
+            CurrentUICulture = [System.Globalization.CultureInfo]::CurrentUICulture.Name
+            TimeZone       = (Get-TimeZone).Id
+          }
+          $info.GetEnumerator() | ForEach-Object { "$($_.Name): $($_.Value)" }
  T1012:
    technique:
      modified: '2023-04-03T18:56:37.011Z'
@@ -26,6 +26,10 @@ On a macOS or Linux system, adversaries may query <code>locale</code> to retriev

 - [Atomic Test #8 - Discover System Language by Windows API Query](#atomic-test-8---discover-system-language-by-windows-api-query)

+- [Atomic Test #9 - Discover System Language with WMIC](#atomic-test-9---discover-system-language-with-wmic)
+
+- [Atomic Test #10 - Discover System Language with Powershell](#atomic-test-10---discover-system-language-with-powershell)
+

 <br/>

@@ -317,4 +321,82 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste



+<br/>
+<br/>
+
+## Atomic Test #9 - Discover System Language with WMIC
+WMIC (Windows Management Instrumentation Command-line) is a command-line tool that provides a simplified interface to query and manage Windows system configurations, processes, and hardware information using WMI. 
+
+The command in this test retrieves information about the system's locale, operating system language, and multilingual user interface (MUI) languages.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4758003d-db14-4959-9c0f-9e87558ac69e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| target_host | The host that will be queried.
+
+If the host contains special characters, it may need to be wrapped in double quotes or double + single quotes. 
+
+For example: "DESKTOP-123" or "'DESKTOP-123'". | string | localhost|
+| format_style | You can specify multipe output formats for wmic such as table, list and csv. | string | table|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wmic /node:#{target_host} os get Locale,OSLanguage,MUILanguages /format:#{format_style}
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Discover System Language with Powershell
+This PowerShell script collects key system settings, such as the UI language, user language preferences, system locale, current culture, UI culture, and time zone, into a hash table. 
+
+It then outputs these settings in a readable key-value format directly to the terminal. The script is simple and efficient for quickly displaying system configuration details.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1f23bfe8-36d4-49ce-903a-19a1e8c6631b
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$info = @{
+  UILanguage     = Get-WinUILanguageOverride
+  UserLanguages  = (Get-WinUserLanguageList).LanguageTag -join ', '
+  SystemLocale   = Get-WinSystemLocale
+  CurrentCulture = [System.Globalization.CultureInfo]::CurrentCulture.Name
+  CurrentUICulture = [System.Globalization.CultureInfo]::CurrentUICulture.Name
+  TimeZone       = (Get-TimeZone).Id
+}
+$info.GetEnumerator() | ForEach-Object { "$($_.Name): $($_.Value)" }
+```
+
+
+
+
+
+
 <br/>
@@ -139,6 +139,7 @@ atomic_tests:
    command: |
      PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
 - name: Discover System Language with WMIC
+  auto_generated_guid: 4758003d-db14-4959-9c0f-9e87558ac69e
  description: |
   WMIC (Windows Management Instrumentation Command-line) is a command-line tool that provides a simplified interface to query and manage Windows system configurations, processes, and hardware information using WMI. 
   
@@ -165,6 +166,7 @@ atomic_tests:
    command: |
      wmic /node:#{target_host} os get Locale,OSLanguage,MUILanguages /format:#{format_style}
 - name: Discover System Language with Powershell
+  auto_generated_guid: 1f23bfe8-36d4-49ce-903a-19a1e8c6631b
  description: |
   This PowerShell script collects key system settings, such as the UI language, user language preferences, system locale, current culture, UI culture, and time zone, into a hash table. 
   
@@ -1723,3 +1723,5 @@ acfcd709-0013-4f1e-b9ee-bc1e7bafaaec
 aa8b9bcc-46fa-4a59-9237-73c7b93a980c
 58f57c8f-db14-4e62-a4d3-5aaf556755d7
 de47f4a0-2acb-416d-9a6b-cee584a4c4d1
+4758003d-db14-4959-9c0f-9e87558ac69e
+1f23bfe8-36d4-49ce-903a-19a1e8c6631b