Generate docs from job=validate_atomics_generate_docs branch=master

2019-11-09 02:14:44 +00:00
parent 940b93af67
commit eb9f0fbcd6
4 changed files with 114 additions and 0 deletions
@@ -30,6 +30,10 @@ An example of abuse of trusted locations in Linux  would be the <code>/bin</code

 - [Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe](#atomic-test-5---masquerading---powershellexe-running-as-taskhostwexe)

+- [Atomic Test #6 - Masquerading - non-windows exe running as windows exe](#atomic-test-6---masquerading---non-windows-exe-running-as-windows-exe)
+
+- [Atomic Test #7 - Masquerading - windows exe running as different windows exe](#atomic-test-7---masquerading---windows-exe-running-as-different-windows-exe)
+

 <br/>

@@ -132,3 +136,59 @@ del /Q /F %APPDATA%\taskhostw.exe
 ```

 <br/>
+<br/>
+
+## Atomic Test #6 - Masquerading - non-windows exe running as windows exe
+Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| inputfile | path of file to copy | path | $PathToAtomicsFolder\T1036\bin\t1036.exe|
+| outputfile | path of file to execute | path | ($env:SystemRoot + "\Temp\scvhost.exe")|
+
+#### Run it with `powershell`! 
+```
+copy #{inputfile} #{outputfile}
+$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
+Stop-Process -ID $myT1036
+```
+
+
+#### Cleanup Commands:
+```
+del #{outputfile}
+```
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Masquerading - windows exe running as different windows exe
+Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| inputfile | path of file to copy | path | $env:ComSpec|
+| outputfile | path of file to execute | path | ($env:SystemRoot + "\Temp\scvhost.exe")|
+
+#### Run it with `powershell`! 
+```
+copy #{inputfile} #{outputfile}
+$myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
+Stop-Process -ID $myT1036
+```
+
+
+#### Cleanup Commands:
+```
+del #{outputfile}
+```
+
+<br/>
@@ -289,6 +289,8 @@
  - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
  - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
  - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
+  - Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
+  - Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
 - [T1112 Modify Registry](./T1112/T1112.md)
  - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
  - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
@@ -8540,6 +8540,56 @@ defense-evasion:
        cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe

 '
+    - name: Masquerading - non-windows exe running as windows exe
+      description: 'Copies an exe, renames it as a windows exe, and launches it to
+        masquerade as a real windows exe
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        inputfile:
+          description: path of file to copy
+          type: path
+          default: "$PathToAtomicsFolder\\T1036\\bin\\t1036.exe"
+        outputfile:
+          description: path of file to execute
+          type: path
+          default: ($env:SystemRoot + "\Temp\scvhost.exe")
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          copy #{inputfile} #{outputfile}
+          $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
+          Stop-Process -ID $myT1036
+        cleanup_command: 'del #{outputfile}
+
+'
+    - name: Masquerading - windows exe running as different windows exe
+      description: 'Copies a windows exe, renames it as another windows exe, and launches
+        it to masquerade as second windows exe
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        inputfile:
+          description: path of file to copy
+          type: path
+          default: "$env:ComSpec"
+        outputfile:
+          description: path of file to execute
+          type: path
+          default: ($env:SystemRoot + "\Temp\scvhost.exe")
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          copy #{inputfile} #{outputfile}
+          $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id
+          Stop-Process -ID $myT1036
+        cleanup_command: 'del #{outputfile}'
  T1112:
    technique:
      x_mitre_data_sources:
@@ -89,6 +89,8 @@
  - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
  - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
  - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
+  - Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
+  - Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
 - [T1112 Modify Registry](./T1112/T1112.md)
  - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
  - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]