T1502, T1504, T1518, T1529, T1531 updates (#926)

* fix tests * improve descriptions * more updates
2020-04-03 17:24:05 -05:00
parent 3e789bc137
commit 0e35397f3f
5 changed files with 46 additions and 39 deletions
@@ -6,8 +6,10 @@ atomic_tests:
 - name: Parent PID Spoofing using PowerShell
  description: |
    This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process.
-    Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
+    Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and
+    calc.exe will be launched.

+    Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
  supported_platforms:
    - windows

@@ -53,4 +55,3 @@ atomic_tests:
    cleanup_command: |
      Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore
      Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
-      
@@ -3,12 +3,12 @@ attack_technique: T1504
 display_name: PowerShell Profile

 atomic_tests:
- name: Append malicious start-process cmdlet 
+- name: Append malicious start-process cmdlet
  description: |
-    Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable
+    Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.
  supported_platforms:
    - windows
-   
+
  input_arguments:
    exe_path:
      description: Path the malicious executable
@@ -20,18 +20,22 @@ atomic_tests:
      type: String
      default: $profile

+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        Ensure a powershell profile exists for the current user
+      prereq_command: |
+        if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Path #{ps_profile} -Type File -Force
+
  executor:
    name: powershell
    elevation_required: false
-    command: | 
-      if(Test-Path #{ps_profile}){
-      }
-      else{
-        New-Item -Path #{ps_profile} -Type File -Force
-      }
-      $malicious = "Start-Process #{exe_path}"
-      Add-Content #{ps_profile} -Value $malicious
-      powershell -command exit
-    cleanup_command: | 
+    command: |
+      Add-Content #{ps_profile} -Value ""
+      Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
+      powershell -Command exit
+    cleanup_command: |
      $oldprofile = cat $profile | Select-Object -skiplast 1
-      Set-Content $profile -Value $oldprofile
+      Set-Content $profile -Value $oldprofile
@@ -5,23 +5,25 @@ display_name: Software Discovery
 atomic_tests:
 - name: Find and Display Internet Explorer Browser Version
  description: |
-    Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
+    Query the registry to determine the version of internet explorer installed on the system.
+    Upon execution, version information about internet explorer will be displayed.
  supported_platforms:
    - windows
  executor:
    name: command_prompt
-    elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
-    command: | # these are the actaul attack commands, at least one command must be provided
+    elevation_required: false
+    command: |
      reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion

 - name: Applications Installed
  description: |
-    Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
+    Query the registry to determine software and versions installed on the system. Upon execution a table of
+    software name and version information will be displayed.
  supported_platforms:
    - windows
  executor:
    name: powershell
-    elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
-    command: | # these are the actual attack commands, at least one command must be provided
+    elevation_required: false
+    command: |
      Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
      Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
@@ -18,8 +18,8 @@ atomic_tests:

  executor:
    name: command_prompt
-    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
-    command: | # these are the actaul attack commands, at least one command must be provided
+    elevation_required: true
+    command: |
      shutdown /s /t #{timeout}

 - name: Restart System - Windows
@@ -37,8 +37,8 @@ atomic_tests:

  executor:
    name: command_prompt
-    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
-    command: | # these are the actaul attack commands, at least one command must be provided
+    elevation_required: true
+    command: |
      shutdown /r /t #{timeout}

 - name: Restart System via `shutdown` - macOS/Linux
@@ -80,7 +80,7 @@ atomic_tests:
    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
    command: | # these are the actual attack commands, at least one command must be provided
      shutdown -h #{timeout}
-      
+

 - name: Restart System via `reboot` - macOS/Linux
  description: |
@@ -107,7 +107,7 @@ atomic_tests:
    name: bash
    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
    command: | # these are the actual attack commands, at least one command must be provided
-      halt -p      
+      halt -p

 - name: Reboot System via `halt` - Linux
  description: |
@@ -120,7 +120,7 @@ atomic_tests:
    name: bash
    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
    command: | # these are the actual attack commands, at least one command must be provided
-      halt --reboot      
+      halt --reboot

 - name: Shutdown System via `poweroff` - Linux
  description: |
@@ -133,7 +133,7 @@ atomic_tests:
    name: bash
    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
    command: | # these are the actual attack commands, at least one command must be provided
-      poweroff      
+      poweroff

 - name: Reboot System via `poweroff` - Linux
  description: |
@@ -146,4 +146,4 @@ atomic_tests:
    name: bash
    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
    command: | # these are the actual attack commands, at least one command must be provided
-      poweroff --reboot  
+      poweroff --reboot
@@ -5,7 +5,8 @@ display_name: Account Access Removal
 atomic_tests:
 - name: Change User Password - Windows
  description: |
-    Changes the user password to hinder access attempts. Seen in use by LockerGoga.
+    Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with
+    the password "HuHuHUHoHo283283".

  supported_platforms:
    - windows
@@ -34,16 +35,15 @@ atomic_tests:

  executor:
    name: command_prompt
-    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
-    command: | # these are the actaul attack commands, at least one command must be provided
+    elevation_required: true
+    command: |
      net.exe user #{user_account} #{new_password}
    cleanup_command: |
      net.exe user #{user_account} /delete

 - name: Delete User - Windows
  description: |
-    Deletes a user account to prevent access.
-
+    Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.
  supported_platforms:
    - windows

@@ -67,6 +67,6 @@ atomic_tests:

  executor:
    name: command_prompt
-    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
-    command: | # these are the actaul attack commands, at least one command must be provided
-      net.exe user #{user_account} /delete
+    elevation_required: true
+    command: |
+      net.exe user #{user_account} /delete