diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 711a0f14..a66c4b27 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -18920,7 +18920,8 @@ discovery:
identifier: T1082
atomic_tests:
- name: System Information Discovery
- description: 'Identify System Info
+ description: 'Identify System Info. Upon execution, system info and time info
+ will be displayed.
'
supported_platforms:
@@ -18993,7 +18994,8 @@ discovery:
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
- name: Hostname Discovery (Windows)
- description: 'Identify system hostname for Windows.
+ description: 'Identify system hostname for Windows. Upon execution, the hostname
+ of the device will be displayed.
'
supported_platforms:
@@ -19018,7 +19020,8 @@ discovery:
'
- name: Windows MachineGUID Discovery
- description: 'Identify the Windows MachineGUID value for a system.
+ description: 'Identify the Windows MachineGUID value for a system. Upon execution,
+ the machine GUID will be displayed from registry.
'
supported_platforms:
@@ -20737,7 +20740,8 @@ credential-access:
'
- name: Extracting passwords with findstr
- description: 'Extracting Credentials from Files
+ description: 'Extracting Credentials from Files. Upon execution, the contents
+ of files that contain the word "password" will be displayed.
'
supported_platforms:
@@ -20749,18 +20753,17 @@ credential-access:
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -Pattern password
- name: Access unattend.xml
- description: 'Attempts to access unattend.xml, where credentials are commonly
- stored, within the Panther directory where installation logs are stored.
-
-'
+ description: |
+ Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
+ If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
- type C:\Windows\Panther\unattend.xml > nul 2>&1
- type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
+ type C:\Windows\Panther\unattend.xml
+ type C:\Windows\Panther\Unattend\unattend.xml
T1214:
technique:
x_mitre_permissions_required:
@@ -21150,7 +21153,7 @@ credential-access:
'
- name: PowerShell - Prompt User for Password
description: |
- Prompt User for Password (Local Phishing) as seen in Stitch RAT.
+ Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.
Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
supported_platforms:
@@ -21586,10 +21589,7 @@ credential-access:
executor:
name: command_prompt
elevation_required: true
- command: |
- echo "ATOMICREDTEAM" > %windir%\cert.key
- dir c:\ /b /s .key | findstr /e .key
- cleanup_command: 'del c:\Windows\cert.key >nul 2>&1
+ command: 'dir c:\ /b /s .key | findstr /e .key
'
- name: Discover Private SSH Keys
diff --git a/atomics/T1081/T1081.md b/atomics/T1081/T1081.md
index 806c016f..d0b8f1d5 100644
--- a/atomics/T1081/T1081.md
+++ b/atomics/T1081/T1081.md
@@ -75,7 +75,7 @@ grep -ri password #{file_path}
## Atomic Test #3 - Extracting passwords with findstr
-Extracting Credentials from Files
+Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
**Supported Platforms:** Windows
@@ -101,6 +101,7 @@ ls -R | select-string -Pattern password
## Atomic Test #4 - Access unattend.xml
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
+If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
**Supported Platforms:** Windows
@@ -112,8 +113,8 @@ Attempts to access unattend.xml, where credentials are commonly stored, within t
```cmd
-type C:\Windows\Panther\unattend.xml > nul 2>&1
-type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1
+type C:\Windows\Panther\unattend.xml
+type C:\Windows\Panther\Unattend\unattend.xml
```
diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md
index c6ae995c..3f757a7c 100644
--- a/atomics/T1082/T1082.md
+++ b/atomics/T1082/T1082.md
@@ -44,7 +44,7 @@ In Azure, the API request GET https://management.azure.com/subscriptions/{
## Atomic Test #1 - System Information Discovery
-Identify System Info
+Identify System Info. Upon execution, system info and time info will be displayed.
**Supported Platforms:** Windows
@@ -182,7 +182,7 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
## Atomic Test #6 - Hostname Discovery (Windows)
-Identify system hostname for Windows.
+Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.
**Supported Platforms:** Windows
@@ -230,7 +230,7 @@ hostname
## Atomic Test #8 - Windows MachineGUID Discovery
-Identify the Windows MachineGUID value for a system.
+Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
**Supported Platforms:** Windows
diff --git a/atomics/T1141/T1141.md b/atomics/T1141/T1141.md
index b3cd6531..1aca40c6 100644
--- a/atomics/T1141/T1141.md
+++ b/atomics/T1141/T1141.md
@@ -39,7 +39,7 @@ osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Pr
## Atomic Test #2 - PowerShell - Prompt User for Password
-Prompt User for Password (Local Phishing) as seen in Stitch RAT.
+Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.
Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
diff --git a/atomics/T1145/T1145.md b/atomics/T1145/T1145.md
index 74bcd4ff..60c30c87 100644
--- a/atomics/T1145/T1145.md
+++ b/atomics/T1145/T1145.md
@@ -35,14 +35,9 @@ File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .
```cmd
-echo "ATOMICREDTEAM" > %windir%\cert.key
dir c:\ /b /s .key | findstr /e .key
```
-#### Cleanup Commands:
-```cmd
-del c:\Windows\cert.key >nul 2>&1
-```