Generated docs from job=generate-docs branch=master [ci skip]
This commit is contained in:
Atomic Red Team doc generator
+102
-6
@@ -27500,11 +27500,27 @@ privilege-escalation:
|
||||
'
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
xml_path:
|
||||
description: path of vbs to use when creating masquerading files
|
||||
type: Path
|
||||
default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'File to copy must exist on disk at specified location (#{xml_path})
|
||||
|
||||
'
|
||||
prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
command: |
|
||||
$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml")
|
||||
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
|
||||
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
|
||||
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
|
||||
>$null 2>&1
|
||||
@@ -27540,11 +27556,27 @@ privilege-escalation:
|
||||
the industroyer2.\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
xml_path:
|
||||
description: path of vbs to use when creating masquerading files
|
||||
type: Path
|
||||
default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'File to copy must exist on disk at specified location (#{xml_path})
|
||||
|
||||
'
|
||||
prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
command: |
|
||||
$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
|
||||
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
|
||||
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
|
||||
cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
|
||||
>$null 2>&1
|
||||
@@ -41567,11 +41599,27 @@ execution:
|
||||
'
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
xml_path:
|
||||
description: path of vbs to use when creating masquerading files
|
||||
type: Path
|
||||
default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'File to copy must exist on disk at specified location (#{xml_path})
|
||||
|
||||
'
|
||||
prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
command: |
|
||||
$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml")
|
||||
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
|
||||
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
|
||||
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
|
||||
>$null 2>&1
|
||||
@@ -41607,11 +41655,27 @@ execution:
|
||||
the industroyer2.\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
xml_path:
|
||||
description: path of vbs to use when creating masquerading files
|
||||
type: Path
|
||||
default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'File to copy must exist on disk at specified location (#{xml_path})
|
||||
|
||||
'
|
||||
prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
command: |
|
||||
$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
|
||||
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
|
||||
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
|
||||
cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
|
||||
>$null 2>&1
|
||||
@@ -48052,11 +48116,27 @@ persistence:
|
||||
'
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
xml_path:
|
||||
description: path of vbs to use when creating masquerading files
|
||||
type: Path
|
||||
default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'File to copy must exist on disk at specified location (#{xml_path})
|
||||
|
||||
'
|
||||
prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
command: |
|
||||
$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml")
|
||||
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
|
||||
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
|
||||
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
|
||||
>$null 2>&1
|
||||
@@ -48092,11 +48172,27 @@ persistence:
|
||||
the industroyer2.\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
xml_path:
|
||||
description: path of vbs to use when creating masquerading files
|
||||
type: Path
|
||||
default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'File to copy must exist on disk at specified location (#{xml_path})
|
||||
|
||||
'
|
||||
prereq_command: 'if (Test-Path #{xml_path}) {exit 0} else {exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
command: |
|
||||
$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
|
||||
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
|
||||
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
|
||||
cleanup_command: 'Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false
|
||||
>$null 2>&1
|
||||
|
||||
@@ -249,12 +249,17 @@ Create an scheduled task that executes notepad.exe after user login from XML by
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| xml_path | path of vbs to use when creating masquerading files | Path | PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml")
|
||||
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
|
||||
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
|
||||
```
|
||||
|
||||
@@ -265,6 +270,19 @@ Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: File to copy must exist on disk at specified location (#{xml_path})
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (Test-Path #{xml_path}) {exit 0} else {exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -326,12 +344,17 @@ This technique was seen several times in tricbot malware and also with the targe
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| xml_path | path of vbs to use when creating masquerading files | Path | PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
$xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
|
||||
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
|
||||
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
|
||||
```
|
||||
|
||||
@@ -342,6 +365,19 @@ Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: File to copy must exist on disk at specified location (#{xml_path})
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (Test-Path #{xml_path}) {exit 0} else {exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
Reference in New Issue
Block a user