From f4eac66bb7bf09ade3050f00bb18ef7797ae4690 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 23 Dec 2019 15:20:41 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1165/T1165.md | 28 ++++++++++++++-----------
 atomics/index.md       |  8 ++++----
 atomics/index.yaml     | 46 +++++++++++++++++++++++++-----------------
 atomics/macos-index.md |  8 ++++----
 4 files changed, 52 insertions(+), 38 deletions(-)

diff --git a/atomics/T1165/T1165.md b/atomics/T1165/T1165.md
index d84f360e..65d32b1c 100644
--- a/atomics/T1165/T1165.md
+++ b/atomics/T1165/T1165.md
@@ -6,33 +6,37 @@ An adversary can create the appropriate folders/files in the StartupItems direct
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Startup Items](#atomic-test-1---startup-items)
+- [Atomic Test #1 - add file to Local Library StartupItems](#atomic-test-1---add-file-to-local-library-startupitems)
 
-- [Atomic Test #2 - Startup Items (emond rule)](#atomic-test-2---startup-items-emond-rule)
+- [Atomic Test #2 - Persistance with Event Monitor - emond](#atomic-test-2---persistance-with-event-monitor---emond)
 
 
 <br/>
 
-## Atomic Test #1 - Startup Items
-Modify or create an file in StartupItems
+## Atomic Test #1 - add file to Local Library StartupItems
+Modify or create an file in /Library/StartupItems
 
 [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
 
 **Supported Platforms:** macOS
 
 
-#### Run it with these steps! 
-1. /Library/StartupItems/StartupParameters.plist
-
-
+#### Run it with `sh`!  Elevation Required (e.g. root or admin) 
+```
+sudo touch /Library/StartupItems/EvilStartup.plist
+```
 
 
+#### Cleanup Commands:
+```
+sudo rm /Library/StartupItems/EvilStartup.plist
+```
 
 <br/>
 <br/>
 
-## Atomic Test #2 - Startup Items (emond rule)
-Establish persistence via a rule run by emond daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+## Atomic Test #2 - Persistance with Event Monitor - emond
+Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
 
 **Supported Platforms:** macOS
 
@@ -40,9 +44,9 @@ Establish persistence via a rule run by emond daemon at startup, based on https:
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| plist | Path to emond plist file | path | /path/to/T1165_emond.plist|
+| plist | Path to attacker emond plist file | path | $PathToAtomics/T1165/src/T1165_emond.plist|
 
-#### Run it with `sh`! 
+#### Run it with `sh`!  Elevation Required (e.g. root or admin) 
 ```
 sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
 sudo touch /private/var/db/emondClients/T1165
diff --git a/atomics/index.md b/atomics/index.md
index 44b7afed..59d15a88 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -134,8 +134,8 @@
   - Atomic Test #1: Shortcut Modification [windows]
   - Atomic Test #2: Create shortcut to cmd in startup folders [windows]
 - [T1165 Startup Items](./T1165/T1165.md)
-  - Atomic Test #1: Startup Items [macos]
-  - Atomic Test #2: Startup Items (emond rule) [macos]
+  - Atomic Test #1: add file to Local Library StartupItems [macos]
+  - Atomic Test #2: Persistance with Event Monitor - emond [macos]
 - T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1501 Systemd Service](./T1501/T1501.md)
   - Atomic Test #1: Create Systemd Service [linux]
@@ -478,8 +478,8 @@
   - Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
   - Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
 - [T1165 Startup Items](./T1165/T1165.md)
-  - Atomic Test #1: Startup Items [macos]
-  - Atomic Test #2: Startup Items (emond rule) [macos]
+  - Atomic Test #1: add file to Local Library StartupItems [macos]
+  - Atomic Test #2: Persistance with Event Monitor - emond [macos]
 - [T1169 Sudo](./T1169/T1169.md)
   - Atomic Test #1: Sudo usage [macos, linux]
 - [T1206 Sudo Caching](./T1206/T1206.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 1c0d5d5b..323003dd 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -4663,32 +4663,37 @@ persistence:
       modified: '2019-07-18T17:58:17.016Z'
       identifier: T1165
     atomic_tests:
-    - name: Startup Items
+    - name: add file to Local Library StartupItems
       description: |
-        Modify or create an file in StartupItems
+        Modify or create an file in /Library/StartupItems
 
         [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
       supported_platforms:
       - macos
       executor:
-        name: manual
-        steps: '1. /Library/StartupItems/StartupParameters.plist
+        name: sh
+        elevation_required: true
+        command: 'sudo touch /Library/StartupItems/EvilStartup.plist
 
 '
-    - name: Startup Items (emond rule)
-      description: 'Establish persistence via a rule run by emond daemon at startup,
-        based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+        cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
+
+'
+    - name: Persistance with Event Monitor - emond
+      description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
+        daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
 
 '
       supported_platforms:
       - macos
       input_arguments:
         plist:
-          description: Path to emond plist file
+          description: Path to attacker emond plist file
           type: path
-          default: "/path/to/T1165_emond.plist"
+          default: "$PathToAtomics/T1165/src/T1165_emond.plist"
       executor:
         name: sh
+        elevation_required: true
         command: |
           sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
           sudo touch /private/var/db/emondClients/T1165
@@ -15040,32 +15045,37 @@ privilege-escalation:
       modified: '2019-07-18T17:58:17.016Z'
       identifier: T1165
     atomic_tests:
-    - name: Startup Items
+    - name: add file to Local Library StartupItems
       description: |
-        Modify or create an file in StartupItems
+        Modify or create an file in /Library/StartupItems
 
         [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
       supported_platforms:
       - macos
       executor:
-        name: manual
-        steps: '1. /Library/StartupItems/StartupParameters.plist
+        name: sh
+        elevation_required: true
+        command: 'sudo touch /Library/StartupItems/EvilStartup.plist
 
 '
-    - name: Startup Items (emond rule)
-      description: 'Establish persistence via a rule run by emond daemon at startup,
-        based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+        cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
+
+'
+    - name: Persistance with Event Monitor - emond
+      description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
+        daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
 
 '
       supported_platforms:
       - macos
       input_arguments:
         plist:
-          description: Path to emond plist file
+          description: Path to attacker emond plist file
           type: path
-          default: "/path/to/T1165_emond.plist"
+          default: "$PathToAtomics/T1165/src/T1165_emond.plist"
       executor:
         name: sh
+        elevation_required: true
         command: |
           sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
           sudo touch /private/var/db/emondClients/T1165
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index b6dee394..363c81ea 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -46,8 +46,8 @@
   - Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
   - Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
 - [T1165 Startup Items](./T1165/T1165.md)
-  - Atomic Test #1: Startup Items [macos]
-  - Atomic Test #2: Startup Items (emond rule) [macos]
+  - Atomic Test #1: add file to Local Library StartupItems [macos]
+  - Atomic Test #2: Persistance with Event Monitor - emond [macos]
 - [T1154 Trap](./T1154/T1154.md)
   - Atomic Test #1: Trap [macos, linux]
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -363,8 +363,8 @@
   - Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
   - Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
 - [T1165 Startup Items](./T1165/T1165.md)
-  - Atomic Test #1: Startup Items [macos]
-  - Atomic Test #2: Startup Items (emond rule) [macos]
+  - Atomic Test #1: add file to Local Library StartupItems [macos]
+  - Atomic Test #2: Persistance with Event Monitor - emond [macos]
 - [T1169 Sudo](./T1169/T1169.md)
   - Atomic Test #1: Sudo usage [macos, linux]
 - [T1206 Sudo Caching](./T1206/T1206.md)