Adding more YAML validations (#2837)

* Update T1202.yaml

* fix all atomics

* changing to macos to fix pytest issue

* changing to macos to fix pytest issue

* adding gitignore

.github/workflows/run-python-tests.yml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   validate-python-file-changes:
-    runs-on: ubuntu-latest
+    runs-on: macos-latest
     steps:
       - name: checkout repo
         uses: actions/checkout@v4
@@ -19,7 +19,7 @@ jobs:
         uses: actions/setup-python@v5
         id: setup-python
         with:
-          python-version: "3.11.2"
+          python-version: "3.12.4"
           cache: "poetry"
 
       - name: Install dependencies

.gitignore

@@ -149,3 +149,4 @@ node_modules/
 # Python
 __pycache__/
 *.pyc
+.hypothesis/

atomic_red_team/models.py

@@ -10,7 +10,6 @@ from pydantic import (
     Field,
     IPvAnyAddress,
     StrictFloat,
-    StrictInt,
     StringConstraints,
     conlist,
     constr,
@@ -105,7 +104,7 @@ class StringArg(BaseArgument):
 
 
 class IntArg(BaseArgument):
-    default: Optional[StrictInt]
+    default: Optional[int]
     type: Literal["integer", "Integer"]
 
 
@@ -152,10 +151,8 @@ class Atomic(BaseModel):
     supported_platforms: conlist(Platform, min_length=1)
     executor: Union[ManualExecutor, CommandExecutor] = Field(..., discriminator="name")
     dependencies: Optional[List[Dependency]] = []
-    input_arguments: Optional[
-        Dict[constr(min_length=2, pattern=r"^[\w_-]+$"), Argument]
-    ] = {}
-    dependency_executor_name: Optional[ExecutorType] = None
+    input_arguments: Dict[constr(min_length=2, pattern=r"^[\w_-]+$"), Argument] = {}
+    dependency_executor_name: ExecutorType = "manual"
     auto_generated_guid: Optional[UUID] = None
 
     @classmethod
@@ -170,11 +167,28 @@ class Atomic(BaseModel):
             commands.extend([d.get_prereq_command, d.prereq_command])
         return extract_mustached_keys(commands)
 
+    @field_validator("dependency_executor_name", mode="before")  # noqa
+    @classmethod
+    def validate_dep_executor(cls, v, info: ValidationInfo):
+        if v is None:
+            raise PydanticCustomError(
+                "empty_dependency_executor_name",
+                "'dependency_executor_name' shouldn't be empty. Provide a valid value ['manual','powershell', 'sh', "
+                "'bash', 'command_prompt'] or remove the key from YAML",
+                {"loc": ["dependency_executor_name"], "input": None},
+            )
+        return v
+
     @field_validator("input_arguments", mode="before")  # noqa
     @classmethod
     def validate(cls, v, info: ValidationInfo):
         if v is None:
-            return v
+            raise PydanticCustomError(
+                "empty_input_arguments",
+                "'input_arguments' shouldn't be empty. Provide a valid value or remove the key from YAML",
+                {"loc": ["input_arguments"], "input": None},
+            )
+
         atomic = info.data
         keys = cls.extract_mustached_keys(atomic)
         for key, _value in v.items():

atomic_red_team/runner.py

@@ -84,7 +84,7 @@ def validate():
     validator = Validator()
     errors = defaultdict(list)
 
-    for folder in glob.glob(f"{atomics_path}/atomics/T*"):
+    for folder in glob.glob(f"{atomics_path}/T*"):
         for item in os.scandir(folder):
             try:
                 validator.validate(item)

atomic_red_team/test_data/empty_dependency_executor_name.yaml

@@ -0,0 +1,20 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid:
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    gsecdump_exe:
+      description: Path to the Gsecdump executable
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt
+    elevation_required: true
+  dependency_executor_name:

atomic_red_team/test_data/empty_input_arguments.yaml

@@ -0,0 +1,15 @@
+attack_technique: T1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  auto_generated_guid:
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  input_arguments:
+  executor:
+    command: |
+      "#{gsecdump_exe}" -a
+    name: command_prompt
+    elevation_required: true

atomics/T1112/T1112.yaml

@@ -1239,7 +1239,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 - name: Modify EnableNonTPM Registry entry 
-  auto_generated_guid: 02d8b9f7-1a51-4011-8901-2d55cca667f9
+  auto_generated_guid:
   description: |
     Allow Bitlocker without TPM for Bitlocker tool
   supported_platforms:

atomics/T1202/T1202.yaml

@@ -70,7 +70,6 @@ atomic_tests:
       description: Path to the executable
       type: String
       default: C:\Windows\System32\calc.exe
-  dependency_executor_name: 
   executor:
     command: Scriptrunner.exe -appvscript "#{payload_path}"
     cleanup_command: 

atomics/T1218.011/T1218.011.yaml

@@ -352,7 +352,6 @@ atomic_tests:
       description: Path of the executable to launch
       type: path
       default: "'%windir%\\System32\\calc.exe'"
-  dependency_executor_name: 
   executor:
     command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}"
     cleanup_command: 

atomics/T1652/T1652.yaml

@@ -11,8 +11,6 @@ atomic_tests:
     /si /fo list - Provides information about signed drivers and outputs it in a list format
   supported_platforms:
   - windows
-  input_arguments: 
-  dependency_executor_name: 
   executor:
     command: |
       driverquery /v /fo list