Merge branch 'master' into T1110.001_II

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure - adding user to Azure AD role\n- Azure - adding service principal to Azure AD role\n- AzureAD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}

atomics/Indexes/Indexes-CSV/azure-ad-index.csv

@@ -7,6 +7,6 @@ defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD
 privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
-persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
-persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
-persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
+persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell

atomics/Indexes/Indexes-CSV/index.csv

@@ -851,11 +851,11 @@ persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM use
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
-persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
-persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
 persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
-persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
+persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
 persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
 persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
@@ -1370,6 +1370,7 @@ discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26
 discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
 discovery,T1124,System Time Discovery,3,System Time Discovery in macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
 discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
+discovery,T1124,System Time Discovery,5,System Time with Windows time Command,53ead5db-7098-4111-bb3f-563be390e72e,command_prompt
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -976,6 +976,7 @@ discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d
 discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
 discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
 discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
+discovery,T1124,System Time Discovery,5,System Time with Windows time Command,53ead5db-7098-4111-bb3f-563be390e72e,command_prompt
 command-and-control,T1132.001,Data Encoding: Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell

atomics/Indexes/Indexes-Markdown/azure-ad-index.md

@@ -61,9 +61,9 @@
   - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
 - T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098 Account Manipulation](../../T1098/T1098.md)
-  - Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
-  - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
-  - Atomic Test #8: AzureAD - adding permission to application [azure-ad]
+  - Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
+  - Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
+  - Atomic Test #8: Azure AD - adding permission to application [azure-ad]
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/index.md

@@ -1362,11 +1362,11 @@
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
   - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
-  - Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
-  - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
+  - Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
+  - Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
   - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
   - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
-  - Atomic Test #8: AzureAD - adding permission to application [azure-ad]
+  - Atomic Test #8: Azure AD - adding permission to application [azure-ad]
   - Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
 - [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
   - Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
@@ -2129,6 +2129,7 @@
   - Atomic Test #2: System Time Discovery - PowerShell [windows]
   - Atomic Test #3: System Time Discovery in macOS [macos]
   - Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
+  - Atomic Test #5: System Time with Windows time Command [windows]
 
 # resource-development
 - T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1545,6 +1545,7 @@
   - Atomic Test #1: System Time Discovery [windows]
   - Atomic Test #2: System Time Discovery - PowerShell [windows]
   - Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
+  - Atomic Test #5: System Time with Windows time Command [windows]
 
 # command-and-control
 - [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)

atomics/Indexes/azure-ad-index.yaml

@@ -36599,13 +36599,13 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1098
     atomic_tests:
-    - name: Azure - adding user to Azure AD role
+    - name: Azure AD - adding user to Azure AD role
       auto_generated_guid: 0e65ae27-5385-46b4-98ac-607a8ee82261
-      description: "The adversarie want to add user to some Azure AD role. Threat
+      description: "The adversaries want to add user to some Azure AD role. Threat
         actor \nmay be interested primarily in highly privileged roles, e.g. Global
-        Administrator, Application Administrator, \nPrivileged authentication administrator
+        Administrator, Application Administrator, \nPrivileged Authentication Administrator
         (this role can reset Global Administrator password!).\nBy default, the role
-        Global Reader is assigned to service principal in this test.\n\nThe account
+        Global Reader is assigned to the user principal in this test.\n\nThe account
         you use to run the PowerShell command should have Privileged Role Administrator
         or Global Administrator role in your Azure AD.\n\nDetection hint - check Activity
         \"Add member to role\" in Azure AD Audit Logs. In targer you will also see
@@ -36626,7 +36626,7 @@ persistence:
           type: string
           default: SuperUser
         role_name:
-          description: Name of the targed Azure AD role
+          description: Name of the targeted Azure AD role
           type: string
           default: Global Reader
       dependencies:
@@ -36668,12 +36668,12 @@ persistence:
           Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
         name: powershell
         elevation_required: false
-    - name: Azure - adding service principal to Azure AD role
+    - name: Azure AD - adding service principal to Azure AD role
       auto_generated_guid: 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
-      description: "The adversarie want to add service principal to some Azure AD
+      description: "The adversaries want to add service principal to some Azure AD
         role. Threat actor \nmay be interested primarily in highly privileged roles,
-        e.g. Global Administrator, Application Administrator, \nPrivileged authentication
-        administrator (this role can reset Global Administrator password!).\nBy default,
+        e.g. Global Administrator, Application Administrator, \nPrivileged Authentication
+        Administrator (this role can reset Global Administrator password!).\nBy default,
         the role Global Reader is assigned to service principal in this test.\n\nThe
         account you use to run the PowerShell command should have Privileged Role
         Administrator or Global Administrator role in your Azure AD.\n\nDetection
@@ -36695,7 +36695,7 @@ persistence:
           type: string
           default: SuperSP
         role_name:
-          description: Name of the targed Azure AD role
+          description: Name of the targeted Azure AD role
           type: string
           default: Global Reader
       dependencies:
@@ -36737,11 +36737,11 @@ persistence:
           Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
         name: powershell
         elevation_required: false
-    - name: AzureAD - adding permission to application
+    - name: Azure AD - adding permission to application
       auto_generated_guid: 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
       description: |
-        The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
-        You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+        The adversaries want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+        You can use Get-AzureADApplication instead of New-AzureADServicePrincipal to use an existing application.
         The DirectoryRecommendations.Read.All permissions have been selected as the default
 
         The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
@@ -36764,7 +36764,7 @@ persistence:
           type: string
           default: p4sswd
         application_name:
-          description: Name of the targed application
+          description: Name of the targeted application
           type: string
           default: test_app
         application_permission:

atomics/Indexes/iaas_azure-index.yaml

@@ -36294,7 +36294,7 @@ persistence:
     atomic_tests:
     - name: Azure - adding user to Azure role in subscription
       auto_generated_guid: 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
-      description: "The adversarie want to add user to some Azure role, also called
+      description: "The adversaries want to add user to some Azure role, also called
         Azure resource role. Threat actor \nmay be interested primarily in highly
         privileged roles, e.g. Owner, Contributor.\nBy default, the role Reader is
         assigned to user in this test.\n\nNew-AzRoleAssignment cmdlet could be also
@@ -36320,11 +36320,11 @@ persistence:
           type: string
           default: SuperUser
         role_name:
-          description: Name of the targed Azure role
+          description: Name of the targeted Azure role
           type: string
           default: Reader
         subscription:
-          description: Name of the targed subscription
+          description: Name of the targeted subscription
           type: string
           default: Azure subscription 1
       dependencies:
@@ -36368,12 +36368,12 @@ persistence:
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
           Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-          Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+          Write-Host "User Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
         name: powershell
         elevation_required: false
     - name: Azure - adding service principal to Azure role in subscription
       auto_generated_guid: c8f4bc29-a151-48da-b3be-4680af56f404
-      description: "The adversarie want to add service principal to some Azure role,
+      description: "The adversaries want to add service principal to some Azure role,
         also called Azure resource role. Threat actor \nmay be interested primarily
         in highly privileged roles, e.g. Owner, Contributor.\nBy default, the role
         Reader is assigned to service principal in this test.\n\nNew-AzRoleAssignment
@@ -36400,11 +36400,11 @@ persistence:
           type: string
           default: SuperSP
         role_name:
-          description: Name of the targed Azure role
+          description: Name of the targeted Azure role
           type: string
           default: Reader
         subscription:
-          description: Name of the targed subscription
+          description: Name of the targeted subscription
           type: string
           default: Azure subscription 1
       dependencies:

atomics/Indexes/index.yaml

@@ -40078,11 +40078,11 @@ privilege-escalation:
         script_location:
           description: evil plist location
           type: path
-          default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist"
+          default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
         script_destination:
           description: Path where to move the evil plist
           type: path
-          default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist"
+          default: "/etc/emond.d/rules/atomicredteam_T1543_001.plist"
         empty_file:
           description: Random name of the empty file used to trigger emond service
           type: string
@@ -60419,13 +60419,13 @@ persistence:
           aws iam remove-user-from-group --user-name #{username} --group-name #{username}
           aws iam delete-group --group-name #{username}
         name: sh
-    - name: Azure - adding user to Azure AD role
+    - name: Azure AD - adding user to Azure AD role
       auto_generated_guid: 0e65ae27-5385-46b4-98ac-607a8ee82261
-      description: "The adversarie want to add user to some Azure AD role. Threat
+      description: "The adversaries want to add user to some Azure AD role. Threat
         actor \nmay be interested primarily in highly privileged roles, e.g. Global
-        Administrator, Application Administrator, \nPrivileged authentication administrator
+        Administrator, Application Administrator, \nPrivileged Authentication Administrator
         (this role can reset Global Administrator password!).\nBy default, the role
-        Global Reader is assigned to service principal in this test.\n\nThe account
+        Global Reader is assigned to the user principal in this test.\n\nThe account
         you use to run the PowerShell command should have Privileged Role Administrator
         or Global Administrator role in your Azure AD.\n\nDetection hint - check Activity
         \"Add member to role\" in Azure AD Audit Logs. In targer you will also see
@@ -60446,7 +60446,7 @@ persistence:
           type: string
           default: SuperUser
         role_name:
-          description: Name of the targed Azure AD role
+          description: Name of the targeted Azure AD role
           type: string
           default: Global Reader
       dependencies:
@@ -60488,12 +60488,12 @@ persistence:
           Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
         name: powershell
         elevation_required: false
-    - name: Azure - adding service principal to Azure AD role
+    - name: Azure AD - adding service principal to Azure AD role
       auto_generated_guid: 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
-      description: "The adversarie want to add service principal to some Azure AD
+      description: "The adversaries want to add service principal to some Azure AD
         role. Threat actor \nmay be interested primarily in highly privileged roles,
-        e.g. Global Administrator, Application Administrator, \nPrivileged authentication
-        administrator (this role can reset Global Administrator password!).\nBy default,
+        e.g. Global Administrator, Application Administrator, \nPrivileged Authentication
+        Administrator (this role can reset Global Administrator password!).\nBy default,
         the role Global Reader is assigned to service principal in this test.\n\nThe
         account you use to run the PowerShell command should have Privileged Role
         Administrator or Global Administrator role in your Azure AD.\n\nDetection
@@ -60515,7 +60515,7 @@ persistence:
           type: string
           default: SuperSP
         role_name:
-          description: Name of the targed Azure AD role
+          description: Name of the targeted Azure AD role
           type: string
           default: Global Reader
       dependencies:
@@ -60559,7 +60559,7 @@ persistence:
         elevation_required: false
     - name: Azure - adding user to Azure role in subscription
       auto_generated_guid: 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
-      description: "The adversarie want to add user to some Azure role, also called
+      description: "The adversaries want to add user to some Azure role, also called
         Azure resource role. Threat actor \nmay be interested primarily in highly
         privileged roles, e.g. Owner, Contributor.\nBy default, the role Reader is
         assigned to user in this test.\n\nNew-AzRoleAssignment cmdlet could be also
@@ -60585,11 +60585,11 @@ persistence:
           type: string
           default: SuperUser
         role_name:
-          description: Name of the targed Azure role
+          description: Name of the targeted Azure role
           type: string
           default: Reader
         subscription:
-          description: Name of the targed subscription
+          description: Name of the targeted subscription
           type: string
           default: Azure subscription 1
       dependencies:
@@ -60633,12 +60633,12 @@ persistence:
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
           Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-          Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+          Write-Host "User Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
         name: powershell
         elevation_required: false
     - name: Azure - adding service principal to Azure role in subscription
       auto_generated_guid: c8f4bc29-a151-48da-b3be-4680af56f404
-      description: "The adversarie want to add service principal to some Azure role,
+      description: "The adversaries want to add service principal to some Azure role,
         also called Azure resource role. Threat actor \nmay be interested primarily
         in highly privileged roles, e.g. Owner, Contributor.\nBy default, the role
         Reader is assigned to service principal in this test.\n\nNew-AzRoleAssignment
@@ -60665,11 +60665,11 @@ persistence:
           type: string
           default: SuperSP
         role_name:
-          description: Name of the targed Azure role
+          description: Name of the targeted Azure role
           type: string
           default: Reader
         subscription:
-          description: Name of the targed subscription
+          description: Name of the targeted subscription
           type: string
           default: Azure subscription 1
       dependencies:
@@ -60713,11 +60713,11 @@ persistence:
           $($subscriptions.Name)\"\n"
         name: powershell
         elevation_required: false
-    - name: AzureAD - adding permission to application
+    - name: Azure AD - adding permission to application
       auto_generated_guid: 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
       description: |
-        The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
-        You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+        The adversaries want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+        You can use Get-AzureADApplication instead of New-AzureADServicePrincipal to use an existing application.
         The DirectoryRecommendations.Read.All permissions have been selected as the default
 
         The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
@@ -60740,7 +60740,7 @@ persistence:
           type: string
           default: p4sswd
         application_name:
-          description: Name of the targed application
+          description: Name of the targeted application
           type: string
           default: test_app
         application_permission:
@@ -63920,11 +63920,11 @@ persistence:
         script_location:
           description: evil plist location
           type: path
-          default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist"
+          default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
         script_destination:
           description: Path where to move the evil plist
           type: path
-          default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist"
+          default: "/etc/emond.d/rules/atomicredteam_T1543_001.plist"
         empty_file:
           description: Random name of the empty file used to trigger emond service
           type: string
@@ -90910,6 +90910,20 @@ discovery:
       executor:
         command: 'W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
 
+          '
+        name: command_prompt
+    - name: System Time with Windows time Command
+      auto_generated_guid: 53ead5db-7098-4111-bb3f-563be390e72e
+      description: |
+        Displays the current system time via the Windows builtin time command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time
+        Recently observed in use in the wild during an incident involving Ursnif malware:
+        https://github.com/The-DFIR-Report/Sigma-Rules/blob/dc72f0b557fc63347379be0a33439788256761c8/rules/windows/process_creation/proc_creation_win_system_time_lookup.yml
+        https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'time
+
           '
         name: command_prompt
 resource-development:

atomics/Indexes/macos-index.yaml

@@ -25215,11 +25215,11 @@ privilege-escalation:
         script_location:
           description: evil plist location
           type: path
-          default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist"
+          default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
         script_destination:
           description: Path where to move the evil plist
           type: path
-          default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist"
+          default: "/etc/emond.d/rules/atomicredteam_T1543_001.plist"
         empty_file:
           description: Random name of the empty file used to trigger emond service
           type: string
@@ -41310,11 +41310,11 @@ persistence:
         script_location:
           description: evil plist location
           type: path
-          default: "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist"
+          default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
         script_destination:
           description: Path where to move the evil plist
           type: path
-          default: "/etc/emond.d/rules/atomicredteam_T1053_004.plist"
+          default: "/etc/emond.d/rules/atomicredteam_T1543_001.plist"
         empty_file:
           description: Random name of the empty file used to trigger emond service
           type: string

atomics/Indexes/windows-index.yaml

@@ -78998,6 +78998,20 @@ discovery:
       executor:
         command: 'W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
 
+          '
+        name: command_prompt
+    - name: System Time with Windows time Command
+      auto_generated_guid: 53ead5db-7098-4111-bb3f-563be390e72e
+      description: |
+        Displays the current system time via the Windows builtin time command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time
+        Recently observed in use in the wild during an incident involving Ursnif malware:
+        https://github.com/The-DFIR-Report/Sigma-Rules/blob/dc72f0b557fc63347379be0a33439788256761c8/rules/windows/process_creation/proc_creation_win_system_time_lookup.yml
+        https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'time
+
           '
         name: command_prompt
 resource-development:

atomics/T1098/T1098.md

@@ -12,15 +12,15 @@ In order to create or manipulate accounts, the adversary must already have suffi
 
 - [Atomic Test #3 - AWS - Create a group and add a user to that group](#atomic-test-3---aws---create-a-group-and-add-a-user-to-that-group)
 
-- [Atomic Test #4 - Azure - adding user to Azure AD role](#atomic-test-4---azure---adding-user-to-azure-ad-role)
+- [Atomic Test #4 - Azure AD - adding user to Azure AD role](#atomic-test-4---azure-ad---adding-user-to-azure-ad-role)
 
-- [Atomic Test #5 - Azure - adding service principal to Azure AD role](#atomic-test-5---azure---adding-service-principal-to-azure-ad-role)
+- [Atomic Test #5 - Azure AD - adding service principal to Azure AD role](#atomic-test-5---azure-ad---adding-service-principal-to-azure-ad-role)
 
 - [Atomic Test #6 - Azure - adding user to Azure role in subscription](#atomic-test-6---azure---adding-user-to-azure-role-in-subscription)
 
 - [Atomic Test #7 - Azure - adding service principal to Azure role in subscription](#atomic-test-7---azure---adding-service-principal-to-azure-role-in-subscription)
 
-- [Atomic Test #8 - AzureAD - adding permission to application](#atomic-test-8---azuread---adding-permission-to-application)
+- [Atomic Test #8 - Azure AD - adding permission to application](#atomic-test-8---azure-ad---adding-permission-to-application)
 
 - [Atomic Test #9 - Password Change on Directory Service Restore Mode (DSRM) Account](#atomic-test-9---password-change-on-directory-service-restore-mode-dsrm-account)
 
@@ -213,11 +213,11 @@ echo Please run atomic test T1136.003, before running this atomic test
 <br/>
 <br/>
 
-## Atomic Test #4 - Azure - adding user to Azure AD role
-The adversarie want to add user to some Azure AD role. Threat actor 
+## Atomic Test #4 - Azure AD - adding user to Azure AD role
+The adversaries want to add user to some Azure AD role. Threat actor 
 may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
-Privileged authentication administrator (this role can reset Global Administrator password!).
-By default, the role Global Reader is assigned to service principal in this test.
+Privileged Authentication Administrator (this role can reset Global Administrator password!).
+By default, the role Global Reader is assigned to the user principal in this test.
 
 The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
 
@@ -238,7 +238,7 @@ Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
 | user_principal_name | Name of the targeted user (user principal) | string | SuperUser|
-| role_name | Name of the targed Azure AD role | string | Global Reader|
+| role_name | Name of the targeted Azure AD role | string | Global Reader|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -293,10 +293,10 @@ Install-Module -Name AzureAD -Force
 <br/>
 <br/>
 
-## Atomic Test #5 - Azure - adding service principal to Azure AD role
-The adversarie want to add service principal to some Azure AD role. Threat actor 
+## Atomic Test #5 - Azure AD - adding service principal to Azure AD role
+The adversaries want to add service principal to some Azure AD role. Threat actor 
 may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
-Privileged authentication administrator (this role can reset Global Administrator password!).
+Privileged Authentication Administrator (this role can reset Global Administrator password!).
 By default, the role Global Reader is assigned to service principal in this test.
 
 The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
@@ -318,7 +318,7 @@ Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
 | service_principal_name | Name of the service principal | string | SuperSP|
-| role_name | Name of the targed Azure AD role | string | Global Reader|
+| role_name | Name of the targeted Azure AD role | string | Global Reader|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -374,7 +374,7 @@ Install-Module -Name AzureAD -Force
 <br/>
 
 ## Atomic Test #6 - Azure - adding user to Azure role in subscription
-The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor 
+The adversaries want to add user to some Azure role, also called Azure resource role. Threat actor 
 may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
 By default, the role Reader is assigned to user in this test.
 
@@ -401,8 +401,8 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
 | user_principal_name | Name of the targeted user (user principal) | string | SuperUser|
-| role_name | Name of the targed Azure role | string | Reader|
-| subscription | Name of the targed subscription | string | Azure subscription 1|
+| role_name | Name of the targeted Azure role | string | Reader|
+| subscription | Name of the targeted subscription | string | Azure subscription 1|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -440,7 +440,7 @@ $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
 if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
 Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+Write-Host "User Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
 ```
 
 
@@ -463,7 +463,7 @@ Install-Module -Name Az.Resources -Force
 <br/>
 
 ## Atomic Test #7 - Azure - adding service principal to Azure role in subscription
-The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor 
+The adversaries want to add service principal to some Azure role, also called Azure resource role. Threat actor 
 may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
 By default, the role Reader is assigned to service principal in this test.
 
@@ -490,8 +490,8 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
 | service_principal_name | Name of the service principal | string | SuperSP|
-| role_name | Name of the targed Azure role | string | Reader|
-| subscription | Name of the targed subscription | string | Azure subscription 1|
+| role_name | Name of the targeted Azure role | string | Reader|
+| subscription | Name of the targeted subscription | string | Azure subscription 1|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -551,9 +551,9 @@ Install-Module -Name Az.Resources -Force
 <br/>
 <br/>
 
-## Atomic Test #8 - AzureAD - adding permission to application
-The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
-You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+## Atomic Test #8 - Azure AD - adding permission to application
+The adversaries want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+You can use Get-AzureADApplication instead of New-AzureADServicePrincipal to use an existing application.
 The DirectoryRecommendations.Read.All permissions have been selected as the default
 
 The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
@@ -579,7 +579,7 @@ https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
 |------|-------------|------|---------------|
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
-| application_name | Name of the targed application | string | test_app|
+| application_name | Name of the targeted application | string | test_app|
 | application_permission | Permission from Microsoft Graph Resource API that will be add to application | string | DirectoryRecommendations.Read.All|
 
 

atomics/T1098/T1098.yaml

@@ -128,13 +128,13 @@ atomic_tests:
       aws iam delete-group --group-name #{username}
     name: sh
 
-- name: Azure - adding user to Azure AD role
+- name: Azure AD - adding user to Azure AD role
   auto_generated_guid: 0e65ae27-5385-46b4-98ac-607a8ee82261
   description: |
-    The adversarie want to add user to some Azure AD role. Threat actor 
+    The adversaries want to add user to some Azure AD role. Threat actor 
     may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
-    Privileged authentication administrator (this role can reset Global Administrator password!).
-    By default, the role Global Reader is assigned to service principal in this test.
+    Privileged Authentication Administrator (this role can reset Global Administrator password!).
+    By default, the role Global Reader is assigned to the user principal in this test.
 
     The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
 
@@ -155,7 +155,7 @@ atomic_tests:
       type: string
       default: SuperUser
     role_name:
-      description: Name of the targed Azure AD role
+      description: Name of the targeted Azure AD role
       type: string
       default: Global Reader
   dependencies:
@@ -194,12 +194,12 @@ atomic_tests:
     name: powershell
     elevation_required: false
 
-- name: Azure - adding service principal to Azure AD role
+- name: Azure AD - adding service principal to Azure AD role
   auto_generated_guid: 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
   description: |
-    The adversarie want to add service principal to some Azure AD role. Threat actor 
+    The adversaries want to add service principal to some Azure AD role. Threat actor 
     may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
-    Privileged authentication administrator (this role can reset Global Administrator password!).
+    Privileged Authentication Administrator (this role can reset Global Administrator password!).
     By default, the role Global Reader is assigned to service principal in this test.
 
     The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
@@ -221,7 +221,7 @@ atomic_tests:
       type: string
       default: SuperSP
     role_name:
-      description: Name of the targed Azure AD role
+      description: Name of the targeted Azure AD role
       type: string
       default: Global Reader
   dependencies:
@@ -263,7 +263,7 @@ atomic_tests:
 - name: Azure - adding user to Azure role in subscription
   auto_generated_guid: 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
   description: |
-    The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor 
+    The adversaries want to add user to some Azure role, also called Azure resource role. Threat actor 
     may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
     By default, the role Reader is assigned to user in this test.
 
@@ -290,11 +290,11 @@ atomic_tests:
       type: string
       default: SuperUser
     role_name:
-      description: Name of the targed Azure role
+      description: Name of the targeted Azure role
       type: string
       default: Reader
     subscription:
-      description: Name of the targed subscription
+      description: Name of the targeted subscription
       type: string
       default: Azure subscription 1
   dependencies:
@@ -334,14 +334,14 @@ atomic_tests:
       if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
       Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+      Write-Host "User Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
     name: powershell
     elevation_required: false
 
 - name: Azure - adding service principal to Azure role in subscription
   auto_generated_guid: c8f4bc29-a151-48da-b3be-4680af56f404
   description: |
-    The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor 
+    The adversaries want to add service principal to some Azure role, also called Azure resource role. Threat actor 
     may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
     By default, the role Reader is assigned to service principal in this test.
 
@@ -368,11 +368,11 @@ atomic_tests:
       type: string
       default: SuperSP
     role_name:
-      description: Name of the targed Azure role
+      description: Name of the targeted Azure role
       type: string
       default: Reader
     subscription:
-      description: Name of the targed subscription
+      description: Name of the targeted subscription
       type: string
       default: Azure subscription 1
   dependencies:
@@ -416,11 +416,11 @@ atomic_tests:
     name: powershell
     elevation_required: false
 
-- name: AzureAD - adding permission to application
+- name: Azure AD - adding permission to application
   auto_generated_guid: 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
   description: |
-    The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
-    You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+    The adversaries want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+    You can use Get-AzureADApplication instead of New-AzureADServicePrincipal to use an existing application.
     The DirectoryRecommendations.Read.All permissions have been selected as the default
 
     The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
@@ -443,7 +443,7 @@ atomic_tests:
       type: string
       default: p4sswd
     application_name:
-      description: Name of the targed application
+      description: Name of the targeted application
       type: string
       default: test_app
     application_permission:

atomics/T1124/T1124.md

@@ -16,6 +16,8 @@ This information could be useful for performing other techniques, such as execut
 
 - [Atomic Test #4 - System Time Discovery W32tm as a Delay](#atomic-test-4---system-time-discovery-w32tm-as-a-delay)
 
+- [Atomic Test #5 - System Time with Windows time Command](#atomic-test-5---system-time-with-windows-time-command)
+
 
 <br/>
 
@@ -136,4 +138,35 @@ W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - System Time with Windows time Command
+Displays the current system time via the Windows builtin time command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time
+Recently observed in use in the wild during an incident involving Ursnif malware:
+https://github.com/The-DFIR-Report/Sigma-Rules/blob/dc72f0b557fc63347379be0a33439788256761c8/rules/windows/process_creation/proc_creation_win_system_time_lookup.yml
+https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 53ead5db-7098-4111-bb3f-563be390e72e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+time
+```
+
+
+
+
+
+
 <br/>

atomics/T1124/T1124.yaml

@@ -49,3 +49,16 @@ atomic_tests:
     command: |
       W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
     name: command_prompt
+- name: System Time with Windows time Command
+  auto_generated_guid: 53ead5db-7098-4111-bb3f-563be390e72e
+  description: |
+    Displays the current system time via the Windows builtin time command: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/time
+    Recently observed in use in the wild during an incident involving Ursnif malware:
+    https://github.com/The-DFIR-Report/Sigma-Rules/blob/dc72f0b557fc63347379be0a33439788256761c8/rules/windows/process_creation/proc_creation_win_system_time_lookup.yml
+    https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      time
+    name: command_prompt

atomics/T1543.001/T1543.001.md

@@ -83,8 +83,8 @@ This test adds persistence via a plist to execute via the macOS Event Monitor Da
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| script_location | evil plist location | path | $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist|
-| script_destination | Path where to move the evil plist | path | /etc/emond.d/rules/atomicredteam_T1053_004.plist|
+| script_location | evil plist location | path | $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist|
+| script_destination | Path where to move the evil plist | path | /etc/emond.d/rules/atomicredteam_T1543_001.plist|
 | empty_file | Random name of the empty file used to trigger emond service | string | randomflag|
 
 

atomics/T1543.001/T1543.001.yaml

@@ -45,11 +45,11 @@ atomic_tests:
     script_location:
       description: evil plist location
       type: path
-      default: $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist
+      default: $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist
     script_destination:
       description: Path where to move the evil plist
       type: path
-      default: /etc/emond.d/rules/atomicredteam_T1053_004.plist
+      default: /etc/emond.d/rules/atomicredteam_T1543_001.plist
     empty_file:
       description: Random name of the empty file used to trigger emond service
       type: string

atomics/used_guids.txt

@@ -1238,3 +1238,4 @@ bbdb06bc-bab6-4f5b-8232-ba3fbed51d77
 07ce871a-b3c3-44a3-97fa-a20118fdc7c9
 5d7057c9-2c8a-4026-91dd-13b5584daa69
 cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a
+53ead5db-7098-4111-bb3f-563be390e72e