diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md
index 90a20188..bbe69973 100644
--- a/atomics/T1027/T1027.md
+++ b/atomics/T1027/T1027.md
@@ -50,6 +50,7 @@ chmod +x /tmp/art.sh
## Atomic Test #2 - Execute base64-encoded PowerShell
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
+Upon execution the test will print "Hey, Atomic!" to the PowerShell session
**Supported Platforms:** Windows
@@ -70,7 +71,6 @@ $OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
-
powershell.exe -EncodedCommand $EncodedCommand
```
diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md
index aa35046f..f213f712 100644
--- a/atomics/T1036/T1036.md
+++ b/atomics/T1036/T1036.md
@@ -41,6 +41,7 @@ An example of abuse of trusted locations in Linux would be the /binnul 2>&1
## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
+Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
**Supported Platforms:** Windows
diff --git a/atomics/T1096/T1096.md b/atomics/T1096/T1096.md
index a0d8f793..fae1565d 100644
--- a/atomics/T1096/T1096.md
+++ b/atomics/T1096/T1096.md
@@ -57,6 +57,7 @@ esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
## Atomic Test #2 - Store file in Alternate Data Stream (ADS)
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
+Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test
**Supported Platforms:** Windows
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 0dd4dc55..36fc90ef 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -262,7 +262,7 @@ Remove-item $key -Recurse -ErrorAction Ignore
## Atomic Test #7 - Javascript in registry
-placing javascript in registry for persistence
+Upon execution, a javascript block will be placed in the registry for persistence
**Supported Platforms:** Windows
diff --git a/atomics/T1170/T1170.md b/atomics/T1170/T1170.md
index 9fe55152..5e3945e4 100644
--- a/atomics/T1170/T1170.md
+++ b/atomics/T1170/T1170.md
@@ -25,6 +25,7 @@ Mshta.exe can be used to bypass application whitelisting solutions that do not a
## Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
Test execution of a remote script using mshta.exe
+Upon execution calc.exe will be launched
**Supported Platforms:** Windows
@@ -108,6 +109,7 @@ mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit
## Atomic Test #4 - Mshta Executes Remote HTML Application (HTA)
Execute an arbitrary remote HTA.
+Upon execution calc.exe will be launched
**Supported Platforms:** Windows
diff --git a/atomics/T1202/T1202.md b/atomics/T1202/T1202.md
index 28c59c92..c8be8bf2 100644
--- a/atomics/T1202/T1202.md
+++ b/atomics/T1202/T1202.md
@@ -15,8 +15,8 @@ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.
## Atomic Test #1 - Indirect Command Execution - pcalua.exe
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
-
[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
+Upon execution, calc.exe should open
**Supported Platforms:** Windows
@@ -27,8 +27,7 @@ The Program Compatibility Assistant (pcalua.exe) may invoke the execution of pro
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process | Process to execute | string | calc.exe|
-| payload_path | Path to payload | path | c:\temp\payload.dll|
-| payload_cpl_path | Path to payload | path | C:\Windows\system32\javacpl.cpl -c Java|
+| payload_path | Path to payload | path | C:\Windows\System32\calc.exe|
#### Attack Commands: Run with `command_prompt`!
@@ -37,7 +36,6 @@ The Program Compatibility Assistant (pcalua.exe) may invoke the execution of pro
```cmd
pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
-pcalua.exe -a #{payload_cpl_path}
```
@@ -50,10 +48,9 @@ pcalua.exe -a #{payload_cpl_path}
## Atomic Test #2 - Indirect Command Execution - forfiles.exe
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
-
[Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md)
-
"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
+Upon execution calc.exe will be opened
**Supported Platforms:** Windows
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 596fb2e0..19930a30 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -8748,8 +8748,8 @@ defense-evasion:
- name: Indirect Command Execution - pcalua.exe
description: |
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
-
[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
+ Upon execution, calc.exe should open
supported_platforms:
- windows
input_arguments:
@@ -8760,24 +8760,19 @@ defense-evasion:
payload_path:
description: Path to payload
type: path
- default: c:\temp\payload.dll
- payload_cpl_path:
- description: Path to payload
- type: path
- default: C:\Windows\system32\javacpl.cpl -c Java
+ default: C:\Windows\System32\calc.exe
executor:
name: command_prompt
+ elevation_required: false
command: |
pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
- pcalua.exe -a #{payload_cpl_path}
- name: Indirect Command Execution - forfiles.exe
description: |
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
-
[Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md)
-
"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
+ Upon execution calc.exe will be opened
supported_platforms:
- windows
input_arguments:
@@ -8787,6 +8782,7 @@ defense-evasion:
default: calc.exe
executor:
name: command_prompt
+ elevation_required: false
command: |
forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
@@ -9672,18 +9668,17 @@ defense-evasion:
identifier: T1036
atomic_tests:
- name: Masquerading as Windows LSASS process
- description: 'Copies cmd.exe, renames it, and launches it to masquerade as an
- instance of lsass.exe.
-
-'
+ description: |
+ Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
+ Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
- cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
- cmd.exe /c %SystemRoot%\Temp\lsass.exe
+ copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
+ %SystemRoot%\Temp\lsass.exe /B
cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
'
@@ -9717,10 +9712,9 @@ defense-evasion:
'
- name: Masquerading - wscript.exe running as svchost.exe
- description: 'Copies wscript.exe, renames it, and launches it to masquerade
- as an instance of svchost.exe.
-
-'
+ description: |
+ Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
+ Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
supported_platforms:
- windows
executor:
@@ -10073,7 +10067,8 @@ defense-evasion:
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
Remove-item $key -Recurse -ErrorAction Ignore
- name: Javascript in registry
- description: 'placing javascript in registry for persistence
+ description: 'Upon execution, a javascript block will be placed in the registry
+ for persistence
'
supported_platforms:
@@ -10085,8 +10080,10 @@ defense-evasion:
Settings" -Name T1112 -Value "