Generate docs from job=validate_atomics_generate_docs branch=master

atomics/Indexes/Indexes-CSV/index.csv

@@ -545,6 +545,7 @@ execution,T1059.001,PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be
 execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
 execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
 execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
+execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
 execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -375,6 +375,7 @@ execution,T1059.001,PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be
 execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
 execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
 execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
+execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
 execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -987,6 +987,7 @@
   - Atomic Test #11: PowerShell Fileless Script Execution [windows]
   - Atomic Test #12: PowerShell Downgrade Attack [windows]
   - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #14: PowerShell Session Creation and Use [windows]
 - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -757,6 +757,7 @@
   - Atomic Test #11: PowerShell Fileless Script Execution [windows]
   - Atomic Test #12: PowerShell Downgrade Attack [windows]
   - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #14: PowerShell Session Creation and Use [windows]
 - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]

atomics/Indexes/index.yaml

@@ -39950,6 +39950,7 @@ execution:
           -contains "NTFS") {exit 0} else {exit 1}
         get_prereq_command: Write-Host Prereq's for this test cannot be met automatically
       executor:
+        name: powershell
         command: |
           Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
           $streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
@@ -39957,7 +39958,33 @@ execution:
         cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore
 
 '
+    - name: PowerShell Session Creation and Use
+      auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd
+      description: |
+        Connect to a remote powershell session and interact with the host.
+        Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
+      supported_platforms:
+      - windows
+      input_arguments:
+        hostname_to_connect:
+          description: The host to connect to, by default it will connect to the local
+            machine
+          type: String
+          default: "$env:COMPUTERNAME"
+      dependencies:
+      - description: PSRemoting must be enabled
+        prereq_command: "Try {\n    New-PSSession -ComputerName #{hostname_to_connect}
+          -ErrorAction Stop | Out-Null\n    exit 0\n} \nCatch {\n    exit 1\n}"
+        get_prereq_command: Enable-PSRemoting
+      executor:
         name: powershell
+        elevation_required: true
+        command: |
+          New-PSSession -ComputerName #{hostname_to_connect}
+          Test-Connection $env:COMPUTERNAME
+          Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
+          Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
+          Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
   T1059.006:
     technique:
       external_references:

atomics/T1059.001/T1059.001.md

@@ -36,6 +36,8 @@ PowerShell commands/scripts can also be executed without directly invoking the <
 
 - [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
 
+- [Atomic Test #14 - PowerShell Session Creation and Use](#atomic-test-14---powershell-session-creation-and-use)
+
 
 <br/>
 
@@ -457,4 +459,56 @@ Write-Host Prereq's for this test cannot be met automatically
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #14 - PowerShell Session Creation and Use
+Connect to a remote powershell session and interact with the host.
+Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| hostname_to_connect | The host to connect to, by default it will connect to the local machine | String | $env:COMPUTERNAME|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-PSSession -ComputerName #{hostname_to_connect}
+Test-Connection $env:COMPUTERNAME
+Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
+Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
+Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: PSRemoting must be enabled
+##### Check Prereq Commands:
+```powershell
+Try {
+    New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null
+    exit 0
+} 
+Catch {
+    exit 1
+} 
+```
+##### Get Prereq Commands:
+```powershell
+Enable-PSRemoting
+```
+
+
+
+
 <br/>

atomics/T1059.001/T1059.001.yaml

@@ -227,6 +227,7 @@ atomic_tests:
       Remove-Item #{ads_file} -Force -ErrorAction Ignore
 
 - name: PowerShell Session Creation and Use
+  auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd
   description: |
     Connect to a remote powershell session and interact with the host.
     Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.

atomics/used_guids.txt

@@ -541,3 +541,4 @@ d9841bf8-f161-4c73-81e9-fd773a5ff8c1
 21748c28-2793-4284-9e07-d6d028b66702
 263ae743-515f-4786-ac7d-41ef3a0d4b2b
 2770dea7-c50f-457b-84c4-c40a47460d9f
+7c1acec2-78fa-4305-a3e0-db2a54cddecd