diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index 25af1c64..8677e3dc 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -195,6 +195,7 @@ atomic_tests: docker rmi -f t1046 name: sh - name: Port-Scanning /24 Subnet with PowerShell + auto_generated_guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4 description: | Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed. diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml index 5a1a86b2..92e45a3a 100644 --- a/atomics/T1490/T1490.yaml +++ b/atomics/T1490/T1490.yaml @@ -136,6 +136,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: Windows - vssadmin Resize Shadowstorage Volume + auto_generated_guid: da558b07-69ae-41b9-b9d4-4d98154a7049 description: Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage. supported_platforms: diff --git a/atomics/T1547.005/T1547.005.yaml b/atomics/T1547.005/T1547.005.yaml index ba3443f0..21a9d4e8 100644 --- a/atomics/T1547.005/T1547.005.yaml +++ b/atomics/T1547.005/T1547.005.yaml @@ -23,6 +23,7 @@ atomic_tests: elevation_required: true - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry + auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738 description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys. supported_platforms: - windows diff --git a/atomics/T1547.012/T1547.012.yaml b/atomics/T1547.012/T1547.012.yaml index 7a8fa7ea..3fe5ed92 100644 --- a/atomics/T1547.012/T1547.012.yaml +++ b/atomics/T1547.012/T1547.012.yaml @@ -2,6 +2,7 @@ attack_technique: T1547.012 display_name: 'Boot or Logon Autostart Execution: Print Processors' atomic_tests: - name: Print Processors + auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0 description: | Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors. The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index a672b989..2906c755 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1370,3 +1370,9 @@ bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9 4cdc9fc7-53fb-4894-9f0c-64836943ea60 d8d13303-159e-4f33-89f4-9f07812d016f 183235ca-8e6c-422c-88c2-3aa28c4825d9 +05df2a79-dba6-4088-a804-9ca0802ca8e4 +17d046be-fdd0-4cbb-b5c7-55c85d9d0714 +37950714-e923-4f92-8c7c-51e4b6fffbf6 +da558b07-69ae-41b9-b9d4-4d98154a7049 +de3f8e74-3351-4fdb-a442-265dbf231738 +f7d38f47-c61b-47cc-a59d-fc0368f47ed0