diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md
index 2ebf74b5..d21edddd 100644
--- a/atomics/T1124/T1124.md
+++ b/atomics/T1124/T1124.md
@@ -14,7 +14,7 @@ An adversary may gather the system time and/or time zone from a local or remote
## Atomic Test #1 - System Time Discovery
-Identify the system time
+Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
**Supported Platforms:** Windows
@@ -44,7 +44,7 @@ w32tm /tz
## Atomic Test #2 - System Time Discovery - PowerShell
-Identify the system time via PowerShell
+Identify the system time via PowerShell. Upon execution, the system time will be displayed.
**Supported Platforms:** Windows
diff --git a/atomics/T1136/T1136.md b/atomics/T1136/T1136.md
index 8ed767c4..6fbd5f7b 100644
--- a/atomics/T1136/T1136.md
+++ b/atomics/T1136/T1136.md
@@ -100,7 +100,8 @@ dscl . -delete /Users/#{username}
## Atomic Test #3 - Create a new user in a command prompt
-Creates a new user in a command prompt
+Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the
+new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD"
**Supported Platforms:** Windows
@@ -134,7 +135,8 @@ net user /del "#{username}"
## Atomic Test #4 - Create a new user in PowerShell
-Creates a new user in PowerShell
+Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the
+new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell"
**Supported Platforms:** Windows
diff --git a/atomics/T1138/T1138.md b/atomics/T1138/T1138.md
index 4fd1c68b..51782765 100644
--- a/atomics/T1138/T1138.md
+++ b/atomics/T1138/T1138.md
@@ -26,11 +26,8 @@ To keep shims secure, Windows designed them to run in user mode so they cannot m
## Atomic Test #1 - Application Shim Installation
-To test injecting DLL into a custom application
-you need to copy AtomicShim.dll Into C:\Tools
-As well as Compile the custom app.
-We believe observing the shim install is a good
-place to start.
+Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
+will be displayed.
**Supported Platforms:** Windows
@@ -48,9 +45,12 @@ place to start.
```cmd
sdbinst.exe #{file_path}
-sdbinst.exe -u #{file_path}
```
+#### Cleanup Commands:
+```cmd
+sdbinst.exe -u #{file_path}
+```
@@ -73,6 +73,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - New shim database files created in the default shim database directory
+Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
+
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
**Supported Platforms:** Windows
@@ -103,6 +105,9 @@ Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAc
## Atomic Test #3 - Registry key creation and/or modification events for SDB
+Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
+the registry keys that were created. These keys can also be viewed using the Registry Editor.
+
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
**Supported Platforms:** Windows
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 88e41b50..932c7c0b 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -614,11 +614,8 @@ persistence:
atomic_tests:
- name: Application Shim Installation
description: |
- To test injecting DLL into a custom application
- you need to copy AtomicShim.dll Into C:\Tools
- As well as Compile the custom app.
- We believe observing the shim install is a good
- place to start.
+ Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
+ will be displayed.
supported_platforms:
- windows
input_arguments:
@@ -636,13 +633,17 @@ persistence:
executor:
name: command_prompt
elevation_required: true
- command: |
- sdbinst.exe #{file_path}
- sdbinst.exe -u #{file_path}
- - name: New shim database files created in the default shim database directory
- description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+ command: 'sdbinst.exe #{file_path}
'
+ cleanup_command: 'sdbinst.exe -u #{file_path}
+
+'
+ - name: New shim database files created in the default shim database directory
+ description: |
+ Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
+
+ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
supported_platforms:
- windows
executor:
@@ -655,9 +656,11 @@ persistence:
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
- name: Registry key creation and/or modification events for SDB
- description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+ description: |
+ Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
+ the registry keys that were created. These keys can also be viewed using the Registry Editor.
-'
+ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
supported_platforms:
- windows
executor:
@@ -1174,9 +1177,9 @@ persistence:
'
- name: Create a new user in a command prompt
- description: 'Creates a new user in a command prompt
-
-'
+ description: |
+ Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the
+ new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD"
supported_platforms:
- windows
input_arguments:
@@ -1198,9 +1201,9 @@ persistence:
'
- name: Create a new user in PowerShell
- description: 'Creates a new user in PowerShell
-
-'
+ description: |
+ Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the
+ new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell"
supported_platforms:
- windows
input_arguments:
@@ -1239,7 +1242,9 @@ persistence:
command: |
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
- cleanup_command: 'userdel #{username}'
+ cleanup_command: 'userdel #{username}
+
+'
T1038:
technique:
x_mitre_permissions_required:
@@ -13445,11 +13450,8 @@ privilege-escalation:
atomic_tests:
- name: Application Shim Installation
description: |
- To test injecting DLL into a custom application
- you need to copy AtomicShim.dll Into C:\Tools
- As well as Compile the custom app.
- We believe observing the shim install is a good
- place to start.
+ Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
+ will be displayed.
supported_platforms:
- windows
input_arguments:
@@ -13467,13 +13469,17 @@ privilege-escalation:
executor:
name: command_prompt
elevation_required: true
- command: |
- sdbinst.exe #{file_path}
- sdbinst.exe -u #{file_path}
- - name: New shim database files created in the default shim database directory
- description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+ command: 'sdbinst.exe #{file_path}
'
+ cleanup_command: 'sdbinst.exe -u #{file_path}
+
+'
+ - name: New shim database files created in the default shim database directory
+ description: |
+ Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
+
+ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
supported_platforms:
- windows
executor:
@@ -13486,9 +13492,11 @@ privilege-escalation:
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
- name: Registry key creation and/or modification events for SDB
- description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+ description: |
+ Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
+ the registry keys that were created. These keys can also be viewed using the Registry Editor.
-'
+ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
supported_platforms:
- windows
executor:
@@ -19248,7 +19256,8 @@ discovery:
identifier: T1124
atomic_tests:
- name: System Time Discovery
- description: 'Identify the system time
+ description: 'Identify the system time. Upon execution, the local computer system
+ time and timezone will be displayed.
'
supported_platforms:
@@ -19265,7 +19274,8 @@ discovery:
net time \\#{computer_name}
w32tm /tz
- name: System Time Discovery - PowerShell
- description: 'Identify the system time via PowerShell
+ description: 'Identify the system time via PowerShell. Upon execution, the system
+ time will be displayed.
'
supported_platforms: