Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1003/T1003.md

@@ -108,6 +108,7 @@ Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
 After user's logging in cleartext password is saved in C:\NPPSpy.txt.
 Clean up deletes the files and reverses Registry changes.
 NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
+
 **Supported Platforms:** Windows
 
 

atomics/T1020/T1020.md

@@ -15,6 +15,7 @@ When automated exfiltration is used, other exfiltration techniques likely apply
 Creates a text file
 Tries to upload to a server via HTTP PUT method with ContentType Header
 Deletes a created file
+
 **Supported Platforms:** Windows
 
 

atomics/T1021.006/T1021.006.md

@@ -198,6 +198,7 @@ invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
 
 ## Atomic Test #6 - WinRM Access with Evil-WinRM
 An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
+
 **Supported Platforms:** Windows
 
 

atomics/T1033/T1033.md

@@ -84,6 +84,7 @@ who
 
 ## Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView)
 Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed.
+
 **Supported Platforms:** Windows
 
 

atomics/T1040/T1040.md

@@ -143,6 +143,7 @@ c:\windump.exe
 ## Atomic Test #4 - Windows Internal Packet Capture
 Uses the built-in Windows packet capture
 After execution you should find a file named trace.etl and trace.cab in the temp directory
+
 **Supported Platforms:** Windows
 
 

atomics/T1046/T1046.md

@@ -93,6 +93,7 @@ echo "Install nmap on the machine to run the test."; exit 1;
 
 ## Atomic Test #3 - Port Scan NMap for Windows
 Scan ports to check for listening ports for the local host 127.0.0.1
+
 **Supported Platforms:** Windows
 
 

atomics/T1053.004/T1053.004.md

@@ -12,7 +12,7 @@ An adversary may use the <code>launchd</code> daemon in macOS environments to sc
 <br/>
 
 ## Atomic Test #1 - Event Monitor Daemon Persistence
-This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. 
+This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
 
 **Supported Platforms:** macOS
 

atomics/T1057/T1057.md

@@ -52,7 +52,7 @@ rm #{output_file}
 ## Atomic Test #2 - Process Discovery - tasklist
 Utilize tasklist to identify processes.
 
-Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. 
+Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout.
 
 **Supported Platforms:** Windows
 

atomics/T1078.001/T1078.001.md

@@ -13,6 +13,7 @@ Default accounts are not limited to client machines, rather also include account
 
 ## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges
 After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections
+
 **Supported Platforms:** Windows
 
 

atomics/T1106/T1106.md

@@ -17,6 +17,7 @@ Adversaries may abuse these native API functions as a means of executing behavio
 
 ## Atomic Test #1 - Execution through API - CreateProcess
 Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt.
+
 **Supported Platforms:** Windows
 
 

atomics/T1110.003/T1110.003.md

@@ -35,6 +35,7 @@ CAUTION! Be very careful to not exceed the password lockout threshold for users
 This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray.
 Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt.
 See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5
+
 **Supported Platforms:** Windows
 
 

atomics/T1135/T1135.md

@@ -115,6 +115,7 @@ get-smbshare -Name #{computer_name}
 
 ## Atomic Test #4 - View available share drives
 View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session
+
 **Supported Platforms:** Windows
 
 

atomics/T1176/T1176.md

@@ -21,6 +21,7 @@ There have also been instances of botnets using a persistent backdoor through ma
 
 ## Atomic Test #1 - Chrome (Developer Mode)
 
+
 **Supported Platforms:** Linux, Windows, macOS
 
 
@@ -46,6 +47,7 @@ tick 'Developer Mode'.
 
 ## Atomic Test #2 - Chrome (Chrome Web Store)
 
+
 **Supported Platforms:** Linux, Windows, macOS
 
 

atomics/T1546.001/T1546.001.md

@@ -19,7 +19,7 @@ The values of the keys listed are commands that are executed when the handler op
 ## Atomic Test #1 - Change Default File Association
 Change Default File Association From cmd.exe of hta to notepad.
 
-Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. 
+Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe.
 
 **Supported Platforms:** Windows
 

atomics/T1547.001/T1547.001.md

@@ -56,7 +56,7 @@ Adversaries can use these configuration locations to execute malware, such as re
 ## Atomic Test #1 - Reg Key Run
 Run Key Persistence
 
-Upon successful execution, cmd.exe will modify the registry by adding \"Atomic Red Team\" to the Run key. Output will be via stdout. 
+Upon successful execution, cmd.exe will modify the registry by adding \"Atomic Red Team\" to the Run key. Output will be via stdout.
 
 **Supported Platforms:** Windows
 
@@ -91,7 +91,7 @@ REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red T
 ## Atomic Test #2 - Reg Key RunOnce
 RunOnce Key Persistence.
 
-Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout. 
+Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout.
 
 **Supported Platforms:** Windows
 

atomics/T1547.005/T1547.005.md

@@ -13,6 +13,7 @@ The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentC
 
 ## Atomic Test #1 - Modify SSP configuration in registry
 Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
+
 **Supported Platforms:** Windows
 
 

atomics/T1559.002/T1559.002.md

@@ -72,7 +72,6 @@ start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx
 <br/>
 
 ## Atomic Test #3 - DDEAUTO
-
 TrustedSec - Unicorn - https://github.com/trustedsec/unicorn
 
 SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

atomics/T1560.001/T1560.001.md

@@ -27,7 +27,7 @@ Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS o
 
 ## Atomic Test #1 - Compress Data for Exfiltration With Rar
 An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
-When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory 
+When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory
 
 **Supported Platforms:** Windows
 

atomics/T1560/T1560.md

@@ -13,7 +13,7 @@ Both compression and encryption are done prior to exfiltration, and can be perfo
 
 ## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
 An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.
-When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory 
+When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory
 
 **Supported Platforms:** Windows
 

atomics/T1562.001/T1562.001.md

@@ -725,7 +725,7 @@ if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet
 ## Atomic Test #21 - Tamper with Windows Defender Evade Scanning -Folder
 Malware can exclude a specific path from being scanned and evading detection. 
 Upon successul execution, the file provided should be on the list of excluded path. 
-To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath 
+To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
 
 **Supported Platforms:** Windows
 

atomics/T1562.003/T1562.003.md

@@ -47,6 +47,7 @@ export HISTCONTROL=ignoreboth
 
 ## Atomic Test #2 - Mac HISTCONTROL
 
+
 **Supported Platforms:** macOS, Linux
 
 

atomics/T1574.006/T1574.006.md

@@ -18,7 +18,7 @@ LD_PRELOAD hijacking may grant access to the victim process's memory, system/net
 ## Atomic Test #1 - Shared Library Injection via /etc/ld.so.preload
 This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
 
-Upon successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. 
+Upon successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload.
 
 **Supported Platforms:** Linux