Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1037/T1037.md

@@ -14,7 +14,11 @@ Mac allows login and logoff hooks to be run as root whenever a specific user log
 
 - [Atomic Test #1 - Logon Scripts](#atomic-test-1---logon-scripts)
 
-- [Atomic Test #2 - Logon Scripts - Mac](#atomic-test-2---logon-scripts---mac)
+- [Atomic Test #2 - Starup Folder Script](#atomic-test-2---starup-folder-script)
+
+- [Atomic Test #3 - Scheduled Task Startup Script](#atomic-test-3---scheduled-task-startup-script)
+
+- [Atomic Test #4 - Logon Scripts - Mac](#atomic-test-4---logon-scripts---mac)
 
 
 <br/>
@@ -44,7 +48,53 @@ REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
 <br/>
 <br/>
 
-## Atomic Test #2 - Logon Scripts - Mac
+## Atomic Test #2 - Starup Folder Script
+A batch file on startup when placed in the start menu folder
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! 
+```
+New-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+Set-Content "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+New-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+Set-Content "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+```
+
+
+#### Cleanup Commands:
+```
+Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+```
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Scheduled Task Startup Script
+Run an exe on user logon or system startup
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
+```
+schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
+schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
+```
+
+
+#### Cleanup Commands:
+```
+schtasks /delete /tn "T1037_OnLogon" /f
+schtasks /delete /tn "T1037_OnStartup" /f
+```
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Logon Scripts - Mac
 Mac logon script
 
 **Supported Platforms:** macOS

atomics/index.md

@@ -86,7 +86,9 @@
 - T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037 Logon Scripts](./T1037/T1037.md)
   - Atomic Test #1: Logon Scripts [windows]
-  - Atomic Test #2: Logon Scripts - Mac [macos]
+  - Atomic Test #2: Starup Folder Script [windows]
+  - Atomic Test #3: Scheduled Task Startup Script [windows]
+  - Atomic Test #4: Logon Scripts - Mac [macos]
 - [T1031 Modify Existing Service](./T1031/T1031.md)
   - Atomic Test #1: Modify Fax service to run PowerShell [windows]
 - [T1128 Netsh Helper DLL](./T1128/T1128.md)
@@ -803,7 +805,9 @@
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037 Logon Scripts](./T1037/T1037.md)
   - Atomic Test #1: Logon Scripts [windows]
-  - Atomic Test #2: Logon Scripts - Mac [macos]
+  - Atomic Test #2: Starup Folder Script [windows]
+  - Atomic Test #3: Scheduled Task Startup Script [windows]
+  - Atomic Test #4: Logon Scripts - Mac [macos]
 - [T1075 Pass the Hash](./T1075/T1075.md)
   - Atomic Test #1: crackmapexec Pass the Hash [windows]
 - [T1097 Pass the Ticket](./T1097/T1097.md)

atomics/index.yaml

@@ -2880,6 +2880,38 @@ persistence:
           /f
 
 '
+    - name: Starup Folder Script
+      description: 'A batch file on startup when placed in the start menu folder
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          New-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+          Set-Content "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+          New-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+          Set-Content "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+        cleanup_command: |
+          Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+          Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+    - name: Scheduled Task Startup Script
+      description: 'Run an exe on user logon or system startup
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
+          schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
+        cleanup_command: |
+          schtasks /delete /tn "T1037_OnLogon" /f
+          schtasks /delete /tn "T1037_OnStartup" /f
     - name: Logon Scripts - Mac
       description: 'Mac logon script
 
@@ -23061,6 +23093,38 @@ lateral-movement:
           /f
 
 '
+    - name: Starup Folder Script
+      description: 'A batch file on startup when placed in the start menu folder
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          New-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+          Set-Content "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+          New-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+          Set-Content "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat" "echo T1037"
+        cleanup_command: |
+          Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+          Remove-Item "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\T1037.bat"
+    - name: Scheduled Task Startup Script
+      description: 'Run an exe on user logon or system startup
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          schtasks /create /tn "T1037_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
+          schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
+        cleanup_command: |
+          schtasks /delete /tn "T1037_OnLogon" /f
+          schtasks /delete /tn "T1037_OnStartup" /f
     - name: Logon Scripts - Mac
       description: 'Mac logon script
 

atomics/macos-index.md

@@ -34,7 +34,7 @@
   - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
 - T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037 Logon Scripts](./T1037/T1037.md)
-  - Atomic Test #2: Logon Scripts - Mac [macos]
+  - Atomic Test #4: Logon Scripts - Mac [macos]
 - [T1150 Plist Modification](./T1150/T1150.md)
   - Atomic Test #1: Plist Modification [macos]
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -157,7 +157,7 @@
 - T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037 Logon Scripts](./T1037/T1037.md)
-  - Atomic Test #2: Logon Scripts - Mac [macos]
+  - Atomic Test #4: Logon Scripts - Mac [macos]
 - [T1105 Remote File Copy](./T1105/T1105.md)
   - Atomic Test #1: rsync remote file copy (push) [linux, macos]
   - Atomic Test #2: rsync remote file copy (pull) [linux, macos]

atomics/windows-index.md

@@ -288,6 +288,8 @@
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037 Logon Scripts](./T1037/T1037.md)
   - Atomic Test #1: Logon Scripts [windows]
+  - Atomic Test #2: Starup Folder Script [windows]
+  - Atomic Test #3: Scheduled Task Startup Script [windows]
 - [T1031 Modify Existing Service](./T1031/T1031.md)
   - Atomic Test #1: Modify Fax service to run PowerShell [windows]
 - [T1128 Netsh Helper DLL](./T1128/T1128.md)
@@ -483,6 +485,8 @@
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037 Logon Scripts](./T1037/T1037.md)
   - Atomic Test #1: Logon Scripts [windows]
+  - Atomic Test #2: Starup Folder Script [windows]
+  - Atomic Test #3: Scheduled Task Startup Script [windows]
 - [T1075 Pass the Hash](./T1075/T1075.md)
   - Atomic Test #1: crackmapexec Pass the Hash [windows]
 - [T1097 Pass the Ticket](./T1097/T1097.md)