Generate docs from job=validate_atomics_generate_docs branch=oscd

2020-10-15 16:59:46 +00:00
parent 761eb9cc72
commit ce8e4dcf80
10 changed files with 74 additions and 3 deletions
@@ -680,6 +680,7 @@ collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f05622
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
 collection,T1113,Screen Capture,4,Import,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
+collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
@@ -384,6 +384,7 @@ collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6
 collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
 collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
 collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
+collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
 execution,T1559.002,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
@@ -1251,6 +1251,7 @@
  - Atomic Test #2: Screencapture (silent) [macos]
  - Atomic Test #3: X Windows Capture [linux]
  - Atomic Test #4: Import [linux]
+  - Atomic Test #5: Windows Screencapture [windows]
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -765,7 +765,8 @@
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1113 Screen Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1113 Screen Capture](../../T1113/T1113.md)
+  - Atomic Test #5: Windows Screencapture [windows]
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -26,7 +26,7 @@
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
 |  | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Screen Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  |  | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -51479,6 +51479,32 @@ collection:

 '
        name: bash
+    - name: Windows Screencapture
+      auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
+      description: 'Use Psr.exe binary to collect screenshots of user display. Test
+        will do left mouse click to simulate user behaviour
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_file:
+          description: Output file path
+          type: Path
+          default: c:\temp\T1113_desktop.zip
+        recording_time:
+          description: Time to take screenshots
+          type: String
+          default: 5
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
+          Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
+          [W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
+          cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
+        cleanup_command: 'rm #{output_file}'
  T1213.002:
    technique:
      external_references:
@@ -13,6 +13,8 @@

 - [Atomic Test #4 - Import](#atomic-test-4---import)

+- [Atomic Test #5 - Windows Screencapture](#atomic-test-5---windows-screencapture)
+

 <br/>

@@ -146,4 +148,41 @@ rm #{output_file}



+<br/>
+<br/>
+
+## Atomic Test #5 - Windows Screencapture
+Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Output file path | Path | c:&#92;temp&#92;T1113_desktop.zip|
+| recording_time | Time to take screenshots | String | 5|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
+Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
+[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
+cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
+```
+
+#### Cleanup Commands:
+```powershell
+rm #{output_file}
+```
+
+
+
+
+
 <br/>
@@ -71,6 +71,7 @@ atomic_tests:
      rm #{output_file}
    name: bash
 - name: Windows Screencapture
+  auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
  description: |
    Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
  supported_platforms:
@@ -582,3 +582,4 @@ f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
 b721c6ef-472c-4263-a0d9-37f1f4ecff66
 fcec2963-9951-4173-9bfa-98d8b7834e62
 dc7726d2-8ccb-4cc6-af22-0d5afb53a548
+3c898f62-626c-47d5-aad2-6de873d69153