From 9d1146ae8a4c847ff8fa8b90fb35e22ea1e4bd72 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Fri, 24 Apr 2020 17:39:30 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/index.yaml | 30 +++++++++++++++---------------
 atomics/T1081/T1081.md     |  7 ++++---
 atomics/T1082/T1082.md     |  6 +++---
 atomics/T1141/T1141.md     |  2 +-
 atomics/T1145/T1145.md     |  5 -----
 5 files changed, 23 insertions(+), 27 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 711a0f14..a66c4b27 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -18920,7 +18920,8 @@ discovery:
       identifier: T1082
     atomic_tests:
     - name: System Information Discovery
-      description: 'Identify System Info
+      description: 'Identify System Info. Upon execution, system info and time info
+        will be displayed.
 
 '
       supported_platforms:
@@ -18993,7 +18994,8 @@ discovery:
           sudo lsmod | grep -i "virtio_pci\|virtio_net"
           sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
     - name: Hostname Discovery (Windows)
-      description: 'Identify system hostname for Windows.
+      description: 'Identify system hostname for Windows. Upon execution, the hostname
+        of the device will be displayed.
 
 '
       supported_platforms:
@@ -19018,7 +19020,8 @@ discovery:
 
 '
     - name: Windows MachineGUID Discovery
-      description: 'Identify the Windows MachineGUID value for a system.
+      description: 'Identify the Windows MachineGUID value for a system. Upon execution,
+        the machine GUID will be displayed from registry.
 
 '
       supported_platforms:
@@ -20737,7 +20740,8 @@ credential-access:
 
 '
     - name: Extracting passwords with findstr
-      description: 'Extracting Credentials from Files
+      description: 'Extracting Credentials from Files. Upon execution, the contents
+        of files that contain the word "password" will be displayed.
 
 '
       supported_platforms:
@@ -20749,18 +20753,17 @@ credential-access:
           findstr /si pass *.xml *.doc *.txt *.xls
           ls -R | select-string -Pattern password
     - name: Access unattend.xml
-      description: 'Attempts to access unattend.xml, where credentials are commonly
-        stored, within the Panther directory where installation logs are stored.
-
-'
+      description: |
+        Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
+        If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
       supported_platforms:
       - windows
       executor:
         name: command_prompt
         elevation_required: true
         command: |
-          type C:\Windows\Panther\unattend.xml > nul 2>&1
-          type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
+          type C:\Windows\Panther\unattend.xml
+          type C:\Windows\Panther\Unattend\unattend.xml
   T1214:
     technique:
       x_mitre_permissions_required:
@@ -21150,7 +21153,7 @@ credential-access:
 '
     - name: PowerShell - Prompt User for Password
       description: |
-        Prompt User for Password (Local Phishing) as seen in Stitch RAT.
+        Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.
 
         Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
       supported_platforms:
@@ -21586,10 +21589,7 @@ credential-access:
       executor:
         name: command_prompt
         elevation_required: true
-        command: |
-          echo "ATOMICREDTEAM" > %windir%\cert.key
-          dir c:\ /b /s .key | findstr /e .key
-        cleanup_command: 'del c:\Windows\cert.key >nul 2>&1
+        command: 'dir c:\ /b /s .key | findstr /e .key
 
 '
     - name: Discover Private SSH Keys
diff --git a/atomics/T1081/T1081.md b/atomics/T1081/T1081.md
index 806c016f..d0b8f1d5 100644
--- a/atomics/T1081/T1081.md
+++ b/atomics/T1081/T1081.md
@@ -75,7 +75,7 @@ grep -ri password #{file_path}
 <br/>
 
 ## Atomic Test #3 - Extracting passwords with findstr
-Extracting Credentials from Files
+Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
 
 **Supported Platforms:** Windows
 
@@ -101,6 +101,7 @@ ls -R | select-string -Pattern password
 
 ## Atomic Test #4 - Access unattend.xml
 Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
+If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
 
 **Supported Platforms:** Windows
 
@@ -112,8 +113,8 @@ Attempts to access unattend.xml, where credentials are commonly stored, within t
 
 
 ```cmd
-type C:\Windows\Panther\unattend.xml > nul 2>&1
-type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
+type C:\Windows\Panther\unattend.xml
+type C:\Windows\Panther\Unattend\unattend.xml
 ```
 
 
diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md
index c6ae995c..3f757a7c 100644
--- a/atomics/T1082/T1082.md
+++ b/atomics/T1082/T1082.md
@@ -44,7 +44,7 @@ In Azure, the API request <code>GET https://management.azure.com/subscriptions/{
 <br/>
 
 ## Atomic Test #1 - System Information Discovery
-Identify System Info
+Identify System Info. Upon execution, system info and time info will be displayed.
 
 **Supported Platforms:** Windows
 
@@ -182,7 +182,7 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
 <br/>
 
 ## Atomic Test #6 - Hostname Discovery (Windows)
-Identify system hostname for Windows.
+Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.
 
 **Supported Platforms:** Windows
 
@@ -230,7 +230,7 @@ hostname
 <br/>
 
 ## Atomic Test #8 - Windows MachineGUID Discovery
-Identify the Windows MachineGUID value for a system.
+Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
 
 **Supported Platforms:** Windows
 
diff --git a/atomics/T1141/T1141.md b/atomics/T1141/T1141.md
index b3cd6531..1aca40c6 100644
--- a/atomics/T1141/T1141.md
+++ b/atomics/T1141/T1141.md
@@ -39,7 +39,7 @@ osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Pr
 <br/>
 
 ## Atomic Test #2 - PowerShell - Prompt User for Password
-Prompt User for Password (Local Phishing) as seen in Stitch RAT.
+Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.
 
 Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
 
diff --git a/atomics/T1145/T1145.md b/atomics/T1145/T1145.md
index 74bcd4ff..60c30c87 100644
--- a/atomics/T1145/T1145.md
+++ b/atomics/T1145/T1145.md
@@ -35,14 +35,9 @@ File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .
 
 
 ```cmd
-echo "ATOMICREDTEAM" > %windir%\cert.key
 dir c:\ /b /s .key | findstr /e .key
 ```
 
-#### Cleanup Commands:
-```cmd
-del c:\Windows\cert.key >nul 2>&1
-```