From c086f9f2df46e29f3945d2999fbe243e2fa3e693 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 11 Mar 2020 00:59:09 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1118/T1118.md | 20 ++++++--- atomics/T1121/T1121.md | 18 ++++----- atomics/index.yaml | 92 ++++++++++++++++++++++++------------------ 3 files changed, 75 insertions(+), 55 deletions(-) diff --git a/atomics/T1118/T1118.md b/atomics/T1118/T1118.md index 2ed8e2ae..544ffdf3 100644 --- a/atomics/T1118/T1118.md +++ b/atomics/T1118/T1118.md @@ -22,16 +22,20 @@ Executes the Uninstall Method #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| filename | location of the payload | Path | PathToAtomicsFolder\T1118\src\T1118.dll| +| output_file | location of the payload | Path | %tmp%\T1118.dll| | source | location of the source code to compile | Path | PathToAtomicsFolder\T1118\src\T1118.cs| #### Attack Commands: Run with `command_prompt`! ``` -C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} -C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename} +C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source} +C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file} ``` +#### Cleanup Commands: +``` +del #{output_file} >nul 2>&1 +``` #### Dependencies: Run with `powershell`! @@ -61,16 +65,20 @@ Executes the Uninstall Method #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| filename | location of the payload | Path | PathToAtomicsFolder\T1118\src\T1118.dll| +| output_file | location of the payload | Path | %tmp%\T1118.dll| | source | location of the source code to compile | Path | PathToAtomicsFolder\T1118\src\T1118.cs| #### Attack Commands: Run with `command_prompt`! ``` -C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} -C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename} +C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source} +C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file} ``` +#### Cleanup Commands: +``` +del #{output_file} >nul 2>&1 +``` #### Dependencies: Run with `powershell`! diff --git a/atomics/T1121/T1121.md b/atomics/T1121/T1121.md index 991a7fc2..26e37deb 100644 --- a/atomics/T1121/T1121.md +++ b/atomics/T1121/T1121.md @@ -22,19 +22,19 @@ Executes the Uninstall Method, No Admin Rights Required #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| file_name | Location of the payload | Path | T1121.dll| +| output_file | Location of the payload | Path | %tmp%\T1121.dll| | source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder\T1121\src\T1121.cs| #### Attack Commands: Run with `command_prompt`! ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} -C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file} ``` #### Cleanup Commands: ``` -del #{file_name} >nul 2>&1 +del #{output_file} >nul 2>&1 ``` @@ -65,7 +65,7 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| file_name | Location of the payload | Path | T1121.dll| +| output_file | Location of the payload | Path | $Env:TEMP\T1121.dll| | source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder\T1121\src\T1121.cs| @@ -73,15 +73,15 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK ``` $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) -Set-Content key.snk -Value $Content -Encoding Byte -C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file} -C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name} +Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte +C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:$env:Temp\key.snk #{source_file} +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file} ``` #### Cleanup Commands: ``` -del #{file_name} >nul 2>&1 -del key.snk >nul 2>&1 +Remove-Item #{output_file} -ErrorAction Ignore | Out-Null +Remove-Item $env:Temp\key.snk -ErrorAction Ignore | Out-Null ``` diff --git a/atomics/index.yaml b/atomics/index.yaml index f63dcb05..776386fc 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -9127,10 +9127,10 @@ defense-evasion: supported_platforms: - windows input_arguments: - filename: + output_file: description: location of the payload type: Path - default: PathToAtomicsFolder\T1118\src\T1118.dll + default: "%tmp%\\T1118.dll" source: description: location of the source code to compile type: Path @@ -9146,8 +9146,11 @@ defense-evasion: name: command_prompt elevation_required: false command: | - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file} + cleanup_command: 'del #{output_file} >nul 2>&1 + +' - name: InstallUtil GetHelp method call description: 'Executes the Uninstall Method @@ -9155,10 +9158,10 @@ defense-evasion: supported_platforms: - windows input_arguments: - filename: + output_file: description: location of the payload type: Path - default: PathToAtomicsFolder\T1118\src\T1118.dll + default: "%tmp%\\T1118.dll" source: description: location of the source code to compile type: Path @@ -9174,8 +9177,11 @@ defense-evasion: name: command_prompt elevation_required: false command: | - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file} + cleanup_command: 'del #{output_file} >nul 2>&1 + +' T1152: technique: x_mitre_permissions_required: @@ -10968,10 +10974,10 @@ defense-evasion: supported_platforms: - windows input_arguments: - file_name: + output_file: description: Location of the payload type: Path - default: T1121.dll + default: "%tmp%\\T1121.dll" source_file: description: Location of the CSharp source_file type: Path @@ -10989,8 +10995,8 @@ defense-evasion: elevation_required: false command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} - cleanup_command: 'del #{file_name} >nul 2>&1 + C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file} + cleanup_command: 'del #{output_file} >nul 2>&1 ' - name: Regsvs Uninstall Method Call Test @@ -11001,10 +11007,10 @@ defense-evasion: supported_platforms: - windows input_arguments: - file_name: + output_file: description: Location of the payload type: Path - default: T1121.dll + default: "$Env:TEMP\\T1121.dll" source_file: description: Location of the CSharp source_file type: Path @@ -11023,12 +11029,12 @@ defense-evasion: command: | $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) - Set-Content key.snk -Value $Content -Encoding Byte - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file} - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name} - cleanup_command: |- - del #{file_name} >nul 2>&1 - del key.snk >nul 2>&1 + Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:$env:Temp\key.snk #{source_file} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file} + cleanup_command: | + Remove-Item #{output_file} -ErrorAction Ignore | Out-Null + Remove-Item $env:Temp\key.snk -ErrorAction Ignore | Out-Null T1117: technique: x_mitre_data_sources: @@ -21814,10 +21820,10 @@ execution: supported_platforms: - windows input_arguments: - filename: + output_file: description: location of the payload type: Path - default: PathToAtomicsFolder\T1118\src\T1118.dll + default: "%tmp%\\T1118.dll" source: description: location of the source code to compile type: Path @@ -21833,8 +21839,11 @@ execution: name: command_prompt elevation_required: false command: | - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file} + cleanup_command: 'del #{output_file} >nul 2>&1 + +' - name: InstallUtil GetHelp method call description: 'Executes the Uninstall Method @@ -21842,10 +21851,10 @@ execution: supported_platforms: - windows input_arguments: - filename: + output_file: description: location of the payload type: Path - default: PathToAtomicsFolder\T1118\src\T1118.dll + default: "%tmp%\\T1118.dll" source: description: location of the source code to compile type: Path @@ -21861,8 +21870,11 @@ execution: name: command_prompt elevation_required: false command: | - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file} + cleanup_command: 'del #{output_file} >nul 2>&1 + +' T1152: technique: x_mitre_permissions_required: @@ -22682,10 +22694,10 @@ execution: supported_platforms: - windows input_arguments: - file_name: + output_file: description: Location of the payload type: Path - default: T1121.dll + default: "%tmp%\\T1121.dll" source_file: description: Location of the CSharp source_file type: Path @@ -22703,8 +22715,8 @@ execution: elevation_required: false command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} - cleanup_command: 'del #{file_name} >nul 2>&1 + C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file} + cleanup_command: 'del #{output_file} >nul 2>&1 ' - name: Regsvs Uninstall Method Call Test @@ -22715,10 +22727,10 @@ execution: supported_platforms: - windows input_arguments: - file_name: + output_file: description: Location of the payload type: Path - default: T1121.dll + default: "$Env:TEMP\\T1121.dll" source_file: description: Location of the CSharp source_file type: Path @@ -22737,12 +22749,12 @@ execution: command: | $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) - Set-Content key.snk -Value $Content -Encoding Byte - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file} - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name} - cleanup_command: |- - del #{file_name} >nul 2>&1 - del key.snk >nul 2>&1 + Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:$env:Temp\key.snk #{source_file} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file} + cleanup_command: | + Remove-Item #{output_file} -ErrorAction Ignore | Out-Null + Remove-Item $env:Temp\key.snk -ErrorAction Ignore | Out-Null T1117: technique: x_mitre_data_sources: