Generated docs from job=generate-docs branch=master [ci skip]
This commit is contained in:
Atomic Red Team doc generator
File diff suppressed because one or more lines are too long
@@ -576,7 +576,7 @@ privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Ho
|
||||
privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
|
||||
privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
|
||||
@@ -830,7 +830,7 @@ persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level t
|
||||
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
|
||||
persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
|
||||
persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
|
||||
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
|
||||
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
|
||||
|
||||
|
@@ -431,7 +431,7 @@ privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Ho
|
||||
privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
|
||||
privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
|
||||
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
|
||||
@@ -612,7 +612,7 @@ persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55
|
||||
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
|
||||
persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
|
||||
persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
|
||||
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
|
||||
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
|
||||
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
|
||||
|
||||
|
@@ -882,7 +882,7 @@
|
||||
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
|
||||
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
|
||||
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
|
||||
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
|
||||
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
||||
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
||||
@@ -1352,7 +1352,7 @@
|
||||
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
|
||||
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
|
||||
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
|
||||
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
|
||||
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
||||
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
||||
|
||||
@@ -664,7 +664,7 @@
|
||||
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
|
||||
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
|
||||
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
|
||||
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
|
||||
- Atomic Test #1: Injection SID-History with mimikatz [windows]
|
||||
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
|
||||
@@ -993,7 +993,7 @@
|
||||
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
|
||||
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
|
||||
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
|
||||
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
|
||||
- Atomic Test #1: Authentication Package [windows]
|
||||
- T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -37933,7 +37933,7 @@ privilege-escalation:
|
||||
Processor" -Name "AutoRun" -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
- name: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)
|
||||
auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
|
||||
description: |-
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
@@ -61004,7 +61004,7 @@ persistence:
|
||||
Processor" -Name "AutoRun" -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
- name: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)
|
||||
auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
|
||||
description: |-
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
|
||||
@@ -12,7 +12,7 @@ Since the execution can be proxied by an account with higher permissions, such a
|
||||
|
||||
- [Atomic Test #2 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-2---hklm---persistence-using-commandprocessor-autorun-key-with-elevation)
|
||||
|
||||
- [Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-3---hkcu---persistence-using-commandprocessor-autorun-key-with-elevation)
|
||||
- [Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)](#atomic-test-3---hkcu---persistence-using-commandprocessor-autorun-key-without-elevation)
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -103,7 +103,7 @@ Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "Au
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
## Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user