From 0450aa2edd9f5c8c2f23a0820d22d7279bbba121 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 2 Jul 2020 17:19:33 -0600 Subject: [PATCH] typo fix --- atomics/T1574.010/T1574.010.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/atomics/T1574.010/T1574.010.yaml b/atomics/T1574.010/T1574.010.yaml index 369ef9e0..6c701cfb 100644 --- a/atomics/T1574.010/T1574.010.yaml +++ b/atomics/T1574.010/T1574.010.yaml @@ -8,7 +8,7 @@ atomic_tests: powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file ) - Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read " T1574.010 Malicious file". To verify + Upon execution, open the weak permission file at %temp%\T1574.010_weak_permission_file.txt and verify that it's contents read "T1574.010 Malicious file". To verify the weak file permissions, open File Explorer to%temp%\T1574.010_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled. supported_platforms: - windows @@ -16,7 +16,7 @@ atomic_tests: malicious_file: description: File to replace weak permission file with type: path - default: $env:TEMP\ T1574.010\ T1574.010_malicious_file.txt + default: $env:TEMP\T1574.010\T1574.010_malicious_file.txt weak_permission_file: description: check weak files permission type: path @@ -35,7 +35,7 @@ atomic_tests: prereq_command: | if (Test-Path #{malicious_file}) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory -Path $env:TEMP\ T1574.010\ -Force | Out-Null + New-Item -Type Directory -Path $env:TEMP\T1574.010\ -Force | Out-Null New-Item #{malicious_file} -Force | Out-Null Set-Content -Path #{malicious_file} -Value " T1574.010 Malicious file" executor: