security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1502, T1504, T1518, T1529, T1531 updates (#926)

Browse Source 
* fix tests

* improve descriptions

* more updates
This commit is contained in:
Andrew Beers
2020-04-03 17:24:05 -05:00
committed by GitHub
parent 3e789bc137
commit 0e35397f3f
5 changed files with 46 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1518/T1518.yaml
+8 -6
View File
@@ -5,23 +5,25 @@ display_name: Software Discovery
atomic_tests:
- name: Find and Display Internet Explorer Browser Version
description: |
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
Query the registry to determine the version of internet explorer installed on the system.
Upon execution, version information about internet explorer will be displayed.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
command: | # these are the actaul attack commands, at least one command must be provided
elevation_required: false
command: |
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
- name: Applications Installed
description: |
Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
Query the registry to determine software and versions installed on the system. Upon execution a table of
software name and version information will be displayed.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
command: | # these are the actual attack commands, at least one command must be provided
elevation_required: false
command: |
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize