Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1485/T1485.md

@@ -16,6 +16,8 @@ To maximize impact on the target organization in operations where network-wide a
 
 - [Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-4---windows---overwrite-file-with-sysinternals-sdelete)
 
+- [Atomic Test #5 - macOS/Linux - Overwrite file with DD](#atomic-test-5---macoslinux---overwrite-file-with-dd)
+
 
 <br/>
 
@@ -77,3 +79,24 @@ Requires the download of either Sysinternals Suite or the individual SDelete uti
 sdelete.exe #{file_to_overwrite}
 ```
 <br/>
+<br/>
+
+## Atomic Test #5 - macOS/Linux - Overwrite file with DD
+Overwrites and deletes a file using DD.
+
+To stop the test, break the command with CTRL/CMD+C.
+
+**Supported Platforms:** CentOS, Linux, macOS, Ubuntu
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| overwrite_source | Path of data source to overwrite with | Path | /dev/zero|
+| file_to_overwrite | Path of file to overwrite and remove | Path | /var/log/syslog|
+
+#### Run it with `bash`!
+```
+dd of=#{file_to_overwrite} if=#{overwrite_source}
+```
+<br/>

atomics/T1496/T1496.md

@@ -0,0 +1,25 @@
+# T1496 - Resource Hijacking
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1496)
+<blockquote>Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. 
+
+One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - macOS/Linux - Simulate CPU Load with Yes](#atomic-test-1---macoslinux---simulate-cpu-load-with-yes)
+
+
+<br/>
+
+## Atomic Test #1 - macOS/Linux - Simulate CPU Load with Yes
+This test simulates a high CPU load as you might observe during cryptojacking attacks.
+End the test by using CTRL/CMD+C to break.
+
+**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
+
+
+#### Run it with `bash`!
+```
+yes > /dev/null
+```
+<br/>

atomics/index.md

@@ -785,6 +785,7 @@
   - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
   - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
   - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
+  - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu]
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -797,7 +798,8 @@
   - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
   - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1496 Resource Hijacking](./T1496/T1496.md)
+  - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, centos, ubuntu, linux]
 - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1489 Service Stop](./T1489/T1489.md)
   - Atomic Test #1: Windows - Stop service using Service Controller [windows]

atomics/index.yaml

@@ -21289,7 +21289,31 @@ impact:
           default: C:\some\file.txt
       executor:
         name: command_prompt
-        command: 'sdelete.exe #{file_to_overwrite}'
+        command: 'sdelete.exe #{file_to_overwrite}
+
+'
+    - name: macOS/Linux - Overwrite file with DD
+      description: |
+        Overwrites and deletes a file using DD.
+
+        To stop the test, break the command with CTRL/CMD+C.
+      supported_platforms:
+      - centos
+      - linux
+      - macos
+      - ubuntu
+      input_arguments:
+        overwrite_source:
+          description: Path of data source to overwrite with
+          type: Path
+          default: "/dev/zero"
+        file_to_overwrite:
+          description: Path of file to overwrite and remove
+          type: Path
+          default: "/var/log/syslog"
+      executor:
+        name: bash
+        command: dd of=#{file_to_overwrite} if=#{overwrite_source}
   '':
     technique:
       external_references:
@@ -21456,6 +21480,74 @@ impact:
         command: |
           bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
           bcdedit.exe /set {default} recoveryenabled no
+  T1496:
+    technique:
+      external_references:
+      - external_id: T1496
+        source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1496
+      - url: https://securelist.com/lazarus-under-the-hood/77908/
+        source_name: Kaspersky Lazarus Under The Hood Blog 2017
+        description: GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April
+          17, 2019.
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_data_sources:
+      - Process use of network
+      - Process monitoring
+      - Network protocol analysis
+      - Network device logs
+      modified: '2019-04-26T15:26:57.896Z'
+      x_mitre_detection: Consider monitoring process resource usage to determine anomalous
+        activity associated with malicious hijacking of computer resources such as
+        CPU, memory, and graphics processing resources. Monitor for suspicious use
+        of network resources associated with cryptocurrency mining software. Monitor
+        for common cryptomining software process names and files on local systems
+        that may indicate compromise and resource usage.
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      kill_chain_phases:
+      - phase_name: impact
+        kill_chain_name: mitre-attack
+      x_mitre_impact_type:
+      - Availability
+      id: attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783
+      name: Resource Hijacking
+      created: '2019-04-17T14:50:05.682Z'
+      x_mitre_version: '1.0'
+      type: attack-pattern
+      description: "Adversaries may leverage the resources of co-opted systems in
+        order to solve resource intensive problems which may impact system and/or
+        hosted service availability. \n\nOne common purpose for Resource Hijacking
+        is to validate transactions of cryptocurrency networks and earn virtual currency.
+        Adversaries may consume enough system resources to negatively impact and/or
+        cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus
+        Under The Hood Blog 2017) Servers and cloud-based systems are common targets
+        because of the high potential for available resources, but user endpoint systems
+        may also be compromised and used for Resource Hijacking and cryptocurrency
+        mining."
+      x_mitre_permissions_required:
+      - User
+      - Administrator
+      identifier: T1496
+    atomic_tests:
+    - name: macOS/Linux - Simulate CPU Load with Yes
+      description: |
+        This test simulates a high CPU load as you might observe during cryptojacking attacks.
+        End the test by using CTRL/CMD+C to break.
+      supported_platforms:
+      - macos
+      - centos
+      - ubuntu
+      - linux
+      executor:
+        name: bash
+        command: 'yes > /dev/null
+
+'
   T1489:
     technique:
       external_references:

atomics/linux-index.md

@@ -268,6 +268,7 @@
 
 # impact
 - [T1485 Data Destruction](./T1485/T1485.md)
+  - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu]
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -276,7 +277,8 @@
 - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1490 Inhibit System Recovery](./T1490/T1490.md)
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1496 Resource Hijacking](./T1496/T1496.md)
+  - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, centos, ubuntu, linux]
 - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/macos-index.md

@@ -305,6 +305,7 @@
 
 # impact
 - [T1485 Data Destruction](./T1485/T1485.md)
+  - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu]
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -313,7 +314,8 @@
 - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1490 Inhibit System Recovery](./T1490/T1490.md)
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1496 Resource Hijacking](./T1496/T1496.md)
+  - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, centos, ubuntu, linux]
 - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/windows-index.md

@@ -566,7 +566,7 @@
   - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
   - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1496 Resource Hijacking](./T1496/T1496.md)
 - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1489 Service Stop](./T1489/T1489.md)
   - Atomic Test #1: Windows - Stop service using Service Controller [windows]