From ff94993abb63d562883f52380d9fdbf720109cfb Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 10 Feb 2020 18:30:02 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1027/T1027.md | 2 +- atomics/T1036/T1036.md | 4 ++-- atomics/T1050/T1050.md | 7 ++++--- atomics/T1053/T1053.md | 2 +- atomics/index.yaml | 31 +++++++++++++++++-------------- 5 files changed, 25 insertions(+), 21 deletions(-) diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index b06e3ff6..bf035e79 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -101,7 +101,7 @@ powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::From #### Cleanup Commands: ``` -Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage} +Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage} ``` diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md index 0eaf277a..b86c68db 100644 --- a/atomics/T1036/T1036.md +++ b/atomics/T1036/T1036.md @@ -182,7 +182,7 @@ Stop-Process -ID $myT1036 #### Cleanup Commands: ``` -del #{outputfile} +Remove-Item #{outputfile} -Force -ErrorAction Ignore ``` @@ -214,7 +214,7 @@ Stop-Process -ID $myT1036 #### Cleanup Commands: ``` -del #{outputfile} +Remove-Item #{outputfile} -Force -ErrorAction Ignore ``` diff --git a/atomics/T1050/T1050.md b/atomics/T1050/T1050.md index 5b3b4f55..f05cdab9 100644 --- a/atomics/T1050/T1050.md +++ b/atomics/T1050/T1050.md @@ -60,14 +60,15 @@ Installs A Local Service via PowerShell #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ``` -New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" +New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" 2>&1 | Out-Null Start-Service -Name "#{service_name}" ``` #### Cleanup Commands: ``` -Stop-Service -Name "#{service_name}" -(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete() +Stop-Service -Name "#{service_name}" 2>&1 | Out-Null +try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} +catch {} ``` diff --git a/atomics/T1053/T1053.md b/atomics/T1053/T1053.md index b0edcfa1..9d85c1f9 100644 --- a/atomics/T1053/T1053.md +++ b/atomics/T1053/T1053.md @@ -120,7 +120,7 @@ Register-ScheduledTask AtomicTask -InputObject $object #### Cleanup Commands: ``` -Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false +Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 ``` diff --git a/atomics/index.yaml b/atomics/index.yaml index 7ea0fe0b..b5092105 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -3294,11 +3294,12 @@ persistence: name: powershell elevation_required: true command: | - New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" + New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" 2>&1 | Out-Null Start-Service -Name "#{service_name}" - cleanup_command: | - Stop-Service -Name "#{service_name}" - (Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete() + cleanup_command: |- + Stop-Service -Name "#{service_name}" 2>&1 | Out-Null + try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} + catch {} T1137: technique: x_mitre_data_sources: @@ -4154,6 +4155,7 @@ persistence: $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set Register-ScheduledTask AtomicTask -InputObject $object cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false + >$null 2>&1 ' T1180: @@ -9505,7 +9507,7 @@ defense-evasion: copy #{inputfile} #{outputfile} $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id Stop-Process -ID $myT1036 - cleanup_command: 'del #{outputfile} + cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore ' - name: Masquerading - windows exe running as different windows exe @@ -9531,7 +9533,7 @@ defense-evasion: copy #{inputfile} #{outputfile} $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id Stop-Process -ID $myT1036 - cleanup_command: 'del #{outputfile} + cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore ' - name: Malicious process Masquerading as LSM.exe @@ -10396,10 +10398,8 @@ defense-evasion: Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))" - cleanup_command: 'Remove-ItemProperty -Force -Path -Path #{registry_key_storage} - -Name #{registry_entry_storage} - -' + cleanup_command: 'Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} + -Name #{registry_entry_storage}' T1502: technique: x_mitre_data_sources: @@ -14390,11 +14390,12 @@ privilege-escalation: name: powershell elevation_required: true command: | - New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" + New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" 2>&1 | Out-Null Start-Service -Name "#{service_name}" - cleanup_command: | - Stop-Service -Name "#{service_name}" - (Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete() + cleanup_command: |- + Stop-Service -Name "#{service_name}" 2>&1 | Out-Null + try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} + catch {} T1502: technique: x_mitre_data_sources: @@ -15132,6 +15133,7 @@ privilege-escalation: $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set Register-ScheduledTask AtomicTask -InputObject $object cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false + >$null 2>&1 ' T1058: @@ -23147,6 +23149,7 @@ execution: $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set Register-ScheduledTask AtomicTask -InputObject $object cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false + >$null 2>&1 ' T1064: