From 5af629b9fc840fde4be91087e49e90ff50709a7e Mon Sep 17 00:00:00 2001 From: Andrew Beers Date: Tue, 31 Mar 2020 17:23:05 -0700 Subject: [PATCH] Update Successful Completion Descriptions (#918) * update descriptions * add additional verification instructions * Update T1136.yaml * Update T1138.yaml * Update T1124.yaml * Update T1138.yaml Co-authored-by: Carrie Roberts --- atomics/T1124/T1124.yaml | 4 ++-- atomics/T1136/T1136.yaml | 8 +++++--- atomics/T1138/T1138.yaml | 13 ++++++++----- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/atomics/T1124/T1124.yaml b/atomics/T1124/T1124.yaml index c077e2fc..9e3d4786 100644 --- a/atomics/T1124/T1124.yaml +++ b/atomics/T1124/T1124.yaml @@ -5,7 +5,7 @@ display_name: System Time Discovery atomic_tests: - name: System Time Discovery description: | - Identify the system time + Identify the system time. Upon execution, the local computer system time and timezone will be displayed. supported_platforms: - windows @@ -25,7 +25,7 @@ atomic_tests: - name: System Time Discovery - PowerShell description: | - Identify the system time via PowerShell + Identify the system time via PowerShell. Upon execution, the system time will be displayed. supported_platforms: - windows diff --git a/atomics/T1136/T1136.yaml b/atomics/T1136/T1136.yaml index fb3f4dd4..512de1f1 100644 --- a/atomics/T1136/T1136.yaml +++ b/atomics/T1136/T1136.yaml @@ -50,7 +50,8 @@ atomic_tests: - name: Create a new user in a command prompt description: | - Creates a new user in a command prompt + Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the + new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD" supported_platforms: - windows input_arguments: @@ -72,7 +73,8 @@ atomic_tests: - name: Create a new user in PowerShell description: | - Creates a new user in PowerShell + Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the + new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell" supported_platforms: - windows input_arguments: @@ -110,4 +112,4 @@ atomic_tests: useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username} echo "#{password}" | passwd --stdin #{username} cleanup_command: | - userdel #{username} \ No newline at end of file + userdel #{username} diff --git a/atomics/T1138/T1138.yaml b/atomics/T1138/T1138.yaml index 61a82573..c20dc47a 100644 --- a/atomics/T1138/T1138.yaml +++ b/atomics/T1138/T1138.yaml @@ -5,11 +5,8 @@ display_name: Application Shimming atomic_tests: - name: Application Shim Installation description: | - To test injecting DLL into a custom application - you need to copy AtomicShim.dll Into C:\Tools - As well as Compile the custom app. - We believe observing the shim install is a good - place to start. + Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete." + will be displayed. supported_platforms: - windows @@ -34,10 +31,13 @@ atomic_tests: elevation_required: true command: | sdbinst.exe #{file_path} + cleanup_command: | sdbinst.exe -u #{file_path} - name: New shim database files created in the default shim database directory description: | + Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database + https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html supported_platforms: - windows @@ -53,6 +53,9 @@ atomic_tests: - name: Registry key creation and/or modification events for SDB description: | + Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing + the registry keys that were created. These keys can also be viewed using the Registry Editor. + https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html supported_platforms: - windows