From eb69c4972bbf5b282fcafa6e3441ad771da833e4 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 3 Jul 2020 15:53:59 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-5 --- atomics/Indexes/Indexes-CSV/index.csv | 2 - atomics/Indexes/Indexes-CSV/windows-index.csv | 2 - atomics/Indexes/Indexes-Markdown/index.md | 2 - .../Indexes/Indexes-Markdown/windows-index.md | 2 - atomics/Indexes/index.yaml | 40 ------------------- atomics/T1040/T1040.md | 35 ---------------- 6 files changed, 83 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index a5209f37..13a93281 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -182,7 +182,6 @@ credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt -credential-access,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell @@ -466,7 +465,6 @@ discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0 discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt -discovery,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index ddd04a85..4d90fd8a 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -280,7 +280,6 @@ discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0 discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt -discovery,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt @@ -412,7 +411,6 @@ credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8 credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt -credential-access,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 45438c98..1f6fe73f 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -397,7 +397,6 @@ - Atomic Test #1: Packet Capture Linux [linux] - Atomic Test #2: Packet Capture macOS [macos] - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - - Atomic Test #4: Packet Capture PowerShell [windows] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Powershell Mimikatz [windows] - Atomic Test #2: Gsecdump [windows] @@ -874,7 +873,6 @@ - Atomic Test #1: Packet Capture Linux [linux] - Atomic Test #2: Packet Capture macOS [macos] - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - - Atomic Test #4: Packet Capture PowerShell [windows] - [T1201 Password Policy Discovery](../../T1201/T1201.md) - Atomic Test #1: Examine password complexity policy - Ubuntu [linux] - Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index a79c0166..1129b046 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -564,7 +564,6 @@ - Atomic Test #5: Share Discovery with PowerView [windows] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - - Atomic Test #4: Packet Capture PowerShell [windows] - [T1201 Password Policy Discovery](../../T1201/T1201.md) - Atomic Test #5: Examine local password policy - Windows [windows] - Atomic Test #6: Examine domain password policy - Windows [windows] @@ -850,7 +849,6 @@ - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - - Atomic Test #4: Packet Capture PowerShell [windows] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Powershell Mimikatz [windows] - Atomic Test #2: Gsecdump [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b5837c12..0cc06140 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -18442,26 +18442,6 @@ credential-access: c:\windump.exe name: command_prompt elevation_required: true - - name: Packet Capture PowerShell - auto_generated_guid: 2bf62970-013a-4c74-b0a8-64030874e89a - description: | - Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark - installed, along with WinPCAP. Windump will require the windump executable. - - Upon successful execution, tshark will spawn from powershell and capture 5 packets on interface Ethernet0. - supported_platforms: - - windows - input_arguments: - interface: - description: Specify interface to perform PCAP on. - type: String - default: Ethernet0 - executor: - command: | - & "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 - & c:\windump.exe - name: powershell - elevation_required: true T1003: technique: id: attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22 @@ -36660,26 +36640,6 @@ discovery: c:\windump.exe name: command_prompt elevation_required: true - - name: Packet Capture PowerShell - auto_generated_guid: 2bf62970-013a-4c74-b0a8-64030874e89a - description: | - Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark - installed, along with WinPCAP. Windump will require the windump executable. - - Upon successful execution, tshark will spawn from powershell and capture 5 packets on interface Ethernet0. - supported_platforms: - - windows - input_arguments: - interface: - description: Specify interface to perform PCAP on. - type: String - default: Ethernet0 - executor: - command: | - & "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 - & c:\windump.exe - name: powershell - elevation_required: true T1201: technique: id: attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5 diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index ad9c9693..28fae95f 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -14,8 +14,6 @@ Network sniffing may also reveal configuration details, such as running services - [Atomic Test #3 - Packet Capture Windows Command Prompt](#atomic-test-3---packet-capture-windows-command-prompt) -- [Atomic Test #4 - Packet Capture PowerShell](#atomic-test-4---packet-capture-powershell) -
@@ -137,37 +135,4 @@ c:\windump.exe -
-
- -## Atomic Test #4 - Packet Capture PowerShell -Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark -installed, along with WinPCAP. Windump will require the windump executable. - -Upon successful execution, tshark will spawn from powershell and capture 5 packets on interface Ethernet0. - -**Supported Platforms:** Windows - - - - -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| interface | Specify interface to perform PCAP on. | String | Ethernet0| - - -#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) - - -```powershell -& "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 -& c:\windump.exe -``` - - - - - -