security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

More test improvements (#732)

Browse Source 
* update tests

* T1518 improvements

* remove prereq commands

* fix typo

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Andrew Beers
2020-01-06 13:17:45 -08:00
committed by Carrie Roberts
parent 2156972ed0
commit a0b8d7e438
3 changed files with 17 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1135/T1135.yaml
+1 -1
View File
@@ -57,7 +57,7 @@ atomic_tests:
net view \\#{computer_name}
get-smbshare -Name #{computer_name}
- name: View avaliabe share drives
- name: View available share drives
description:
View information about all of the resources that are shared on the local computer
supported_platforms:
atomics/T1485/T1485.yaml
+13 -21
View File
@@ -6,10 +6,8 @@ atomic_tests:
- name: Windows - Delete Volume Shadow Copies
description: |
Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
@@ -19,10 +17,8 @@ atomic_tests:
- name: Windows - Delete Windows Backup Catalog
description: |
Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
@@ -31,49 +27,47 @@ atomic_tests:
- name: Windows - Disable Windows Recovery Console Repair
description: |
Disables repair by the Windows Recovery Console on boot.
Disables repair by the Windows Recovery Console on boot.
This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
cleanup_command: |
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
bcdedit.exe /set {default} recoveryenabled yes
- name: Windows - Overwrite file with Sysinternals SDelete
description: |
Overwrites and deletes a file using Sysinternals SDelete.
Requires the download of either Sysinternals Suite or the individual SDelete utility.
supported_platforms:
- windows
input_arguments:
file_to_overwrite:
description: Path of file to overwrite and remove
sdelete_path:
description: Path to sdelete.exe
type: Path
default: C:\some\file.txt
default: ""
executor:
name: command_prompt
name: powershell
command: |
sdelete.exe #{file_to_overwrite}
New-Item $env:TEMP\T1485.txt
Set-Location #{sdelete_path}
.\sdelete.exe -accepteula $env:TEMP\T1485.txt
- name: macOS/Linux - Overwrite file with DD
description: |
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
supported_platforms:
- centos
- linux
- macos
- ubuntu
input_arguments:
overwrite_source:
description: Path of data source to overwrite with
@@ -83,7 +77,6 @@ atomic_tests:
description: Path of file to overwrite and remove
type: Path
default: /var/log/syslog
executor:
name: bash
command: |
@@ -92,11 +85,10 @@ atomic_tests:
- name: Windows - Delete Backup Files
description: |
Deletes backup files in a manner similar to Ryuk ransomware.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
atomics/T1518/T1518.yaml
+3 -7
View File
@@ -6,10 +6,8 @@ atomic_tests:
- name: Find and Display Internet Explorer Browser Version
description: |
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
@@ -19,13 +17,11 @@ atomic_tests:
- name: Applications Installed
description: |
Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
supported_platforms:
- windows
executor:
name: command_prompt
name: powershell
elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
command: | # these are the actual attack commands, at least one command must be provided
POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize