Update Successful Completion Descriptions (#918)

* update descriptions

* add additional verification instructions

* Update T1136.yaml

* Update T1138.yaml

* Update T1124.yaml

* Update T1138.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1124/T1124.yaml

@@ -5,7 +5,7 @@ display_name: System Time Discovery
 atomic_tests:
 - name: System Time Discovery
   description: |
-    Identify the system time
+    Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
 
   supported_platforms:
     - windows
@@ -25,7 +25,7 @@ atomic_tests:
 
 - name: System Time Discovery - PowerShell
   description: |
-    Identify the system time via PowerShell
+    Identify the system time via PowerShell. Upon execution, the system time will be displayed.
 
   supported_platforms:
     - windows

atomics/T1136/T1136.yaml

@@ -50,7 +50,8 @@ atomic_tests:
 
 - name: Create a new user in a command prompt
   description: |
-    Creates a new user in a command prompt
+    Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the
+    new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD"
   supported_platforms:
     - windows
   input_arguments:
@@ -72,7 +73,8 @@ atomic_tests:
 
 - name: Create a new user in PowerShell
   description: |
-    Creates a new user in PowerShell
+    Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the
+    new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell"
   supported_platforms:
     - windows
   input_arguments:
@@ -110,4 +112,4 @@ atomic_tests:
       useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
       echo "#{password}" | passwd --stdin #{username}
     cleanup_command: |
-      userdel #{username}
+      userdel #{username}

atomics/T1138/T1138.yaml

@@ -5,11 +5,8 @@ display_name: Application Shimming
 atomic_tests:
 - name: Application Shim Installation
   description: |
-    To test injecting DLL into a custom application
-    you need to copy AtomicShim.dll Into C:\Tools
-    As well as Compile the custom app.
-    We believe observing the shim install is a good
-    place to start.
+    Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
+    will be displayed.
 
   supported_platforms:
     - windows
@@ -34,10 +31,13 @@ atomic_tests:
     elevation_required: true
     command: |
       sdbinst.exe #{file_path}
+    cleanup_command: |
       sdbinst.exe -u #{file_path}
 
 - name: New shim database files created in the default shim database directory
   description: |
+    Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
+
     https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
   supported_platforms:
     - windows
@@ -53,6 +53,9 @@ atomic_tests:
 
 - name: Registry key creation and/or modification events for SDB
   description: |
+    Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
+    the registry keys that were created. These keys can also be viewed using the Registry Editor.
+
     https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
   supported_platforms:
     - windows