Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1006/T1006.md

@@ -0,0 +1,45 @@
+# T1006 - File System Logical Offsets
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1006)
+<blockquote>Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
+
+Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - File System Logical Offsets using PowerShell](#atomic-test-1---file-system-logical-offsets-using-powershell)
+
+
+<br/>
+
+## Atomic Test #1 - File System Logical Offsets using PowerShell
+This test uses PowerShell to copy files from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
+Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1)
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| sam_binary_path | Path of the SAM file | string | C:\Windows\System32\config\sam|
+| system_binary_path | Path of the SYSTEM file | string | C:\Windows\System32\config\system|
+| security_binary_path | Path of the SECURITY file | string | C:\Windows\System32\config\security|
+| output_folder | Output folder path | Path | C:\Windows\Temp|
+
+#### Run it with `powershell`!  Elevation Required (e.g. root or admin) 
+```
+. $PathToAtomicsFolder\T1006\src\Invoke-NinjaCopy.ps1
+Invoke-NinjaCopy -Path "#{sam_binary_path}" -LocalDestination "#{output_folder}\sam"
+Invoke-NinjaCopy -Path "#{system_binary_path}" -LocalDestination "#{output_folder}\system"
+Invoke-NinjaCopy -Path "#{security_binary_path}" -LocalDestination "#{output_folder}\security"
+```
+
+
+#### Cleanup Commands:
+```
+rm "#{output_folder}\sam"
+rm "#{output_folder}\system"
+rm "#{output_folder}\security"
+```
+
+<br/>

atomics/index.md

@@ -235,7 +235,8 @@
   - Atomic Test #11: wbadmin [windows]
   - Atomic Test #12: Delete Filesystem - Linux [linux, centos, ubuntu]
   - Atomic Test #13: Delete-PrefetchFile [windows]
-- T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1006 File System Logical Offsets](./T1006/T1006.md)
+  - Atomic Test #1: File System Logical Offsets using PowerShell [windows]
 - [T1222 File and Directory Permissions Modification](./T1222/T1222.md)
   - Atomic Test #1: Take ownership using takeown utility [windows]
   - Atomic Test #2: Take ownership recursively using takeown utility [windows]

atomics/index.yaml

@@ -7517,6 +7517,86 @@ defense-evasion:
           -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
 
 '
+  T1006:
+    technique:
+      x_mitre_data_sources:
+      - API monitoring
+      x_mitre_permissions_required:
+      - Administrator
+      name: File System Logical Offsets
+      description: |-
+        Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
+
+        Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)
+      id: attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5
+      x_mitre_platforms:
+      - Windows
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.0'
+      type: attack-pattern
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      x_mitre_detection: |-
+        Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)
+
+        Monitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1086), additional logging of PowerShell scripts is recommended.
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      created: '2017-05-31T21:30:20.934Z'
+      modified: '2018-10-17T00:14:20.652Z'
+      external_references:
+      - external_id: T1006
+        source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1006
+      - description: Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors
+          Directly from Disk using Logical Offsets. Retrieved November 12, 2014.
+        source_name: Hakobyan 2009
+        url: http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin
+      - description: Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved
+          June 2, 2016.
+        source_name: Github PowerSploit Ninjacopy
+        url: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1
+      x_mitre_defense_bypassed:
+      - File monitoring
+      - File system access controls
+      identifier: T1006
+    atomic_tests:
+    - name: File System Logical Offsets using PowerShell
+      description: |
+        This test uses PowerShell to copy files from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
+        Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1)
+      supported_platforms:
+      - windows
+      input_arguments:
+        sam_binary_path:
+          description: Path of the SAM file
+          type: string
+          default: C:\Windows\System32\config\sam
+        system_binary_path:
+          description: Path of the SYSTEM file
+          type: string
+          default: C:\Windows\System32\config\system
+        security_binary_path:
+          description: Path of the SECURITY file
+          type: string
+          default: C:\Windows\System32\config\security
+        output_folder:
+          description: Output folder path
+          type: Path
+          default: C:\Windows\Temp
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          . $PathToAtomicsFolder\T1006\src\Invoke-NinjaCopy.ps1
+          Invoke-NinjaCopy -Path "#{sam_binary_path}" -LocalDestination "#{output_folder}\sam"
+          Invoke-NinjaCopy -Path "#{system_binary_path}" -LocalDestination "#{output_folder}\system"
+          Invoke-NinjaCopy -Path "#{security_binary_path}" -LocalDestination "#{output_folder}\security"
+        cleanup_command: |-
+          rm "#{output_folder}\sam"
+          rm "#{output_folder}\system"
+          rm "#{output_folder}\security"
   T1222:
     technique:
       x_mitre_data_sources:

atomics/matrix.md

@@ -24,7 +24,7 @@
 |  | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | [Uncommonly Used Port](./T1065/T1065.md) |
 |  | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | [PowerShell Profile](./T1504/T1504.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | [Web Service](./T1102/T1102.md) |
 |  | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Process Injection](./T1055/T1055.md) | [File Deletion](./T1107/T1107.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](./T1007/T1007.md) |  |  |  |  |
-|  | [Signed Binary Proxy Execution](./T1218/T1218.md) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Time Discovery](./T1124/T1124.md) |  |  |  |  |
+|  | [Signed Binary Proxy Execution](./T1218/T1218.md) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File System Logical Offsets](./T1006/T1006.md) |  | [System Time Discovery](./T1124/T1124.md) |  |  |  |  |
 |  | [Signed Script Proxy Execution](./T1216/T1216.md) | [Kernel Modules and Extensions](./T1215/T1215.md) | [Scheduled Task](./T1053/T1053.md) | [File and Directory Permissions Modification](./T1222/T1222.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |
 |  | [Source](./T1153/T1153.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Registry Permissions Weakness](./T1058/T1058.md) | [Gatekeeper Bypass](./T1144/T1144.md) |  |  |  |  |  |  |
 |  | [Space after Filename](./T1151/T1151.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |

atomics/windows-index.md

@@ -61,7 +61,8 @@
   - Atomic Test #10: bcdedit [windows]
   - Atomic Test #11: wbadmin [windows]
   - Atomic Test #13: Delete-PrefetchFile [windows]
-- T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1006 File System Logical Offsets](./T1006/T1006.md)
+  - Atomic Test #1: File System Logical Offsets using PowerShell [windows]
 - [T1222 File and Directory Permissions Modification](./T1222/T1222.md)
   - Atomic Test #1: Take ownership using takeown utility [windows]
   - Atomic Test #2: Take ownership recursively using takeown utility [windows]

atomics/windows-matrix.md

@@ -22,7 +22,7 @@
 |  | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Scheduled Task](./T1053/T1053.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | [Uncommonly Used Port](./T1065/T1065.md) |
 |  | [Signed Binary Proxy Execution](./T1218/T1218.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Registry Permissions Weakness](./T1058/T1058.md) | [File Deletion](./T1107/T1107.md) |  | [System Service Discovery](./T1007/T1007.md) |  |  |  | [Web Service](./T1102/T1102.md) |
-|  | [Signed Script Proxy Execution](./T1216/T1216.md) | [Logon Scripts](./T1037/T1037.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Time Discovery](./T1124/T1124.md) |  |  |  |  |
+|  | [Signed Script Proxy Execution](./T1216/T1216.md) | [Logon Scripts](./T1037/T1037.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File System Logical Offsets](./T1006/T1006.md) |  | [System Time Discovery](./T1124/T1124.md) |  |  |  |  |
 |  | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Existing Service](./T1031/T1031.md) | [Web Shell](./T1100/T1100.md) | [File and Directory Permissions Modification](./T1222/T1222.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |
 |  | [Trusted Developer Utilities](./T1127/T1127.md) | [Netsh Helper DLL](./T1128/T1128.md) |  | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) |  | [Hidden Files and Directories](./T1158/T1158.md) |  |  |  |  |  |  |