diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index e1808f69..66ebabcc 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -57,7 +57,7 @@ atomic_tests: net view \\#{computer_name} get-smbshare -Name #{computer_name} -- name: View avaliabe share drives +- name: View available share drives description: View information about all of the resources that are shared on the local computer supported_platforms: diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index cb61c927..dc0fdd50 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -6,10 +6,8 @@ atomic_tests: - name: Windows - Delete Volume Shadow Copies description: | Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - supported_platforms: - windows - executor: name: command_prompt elevation_required: true @@ -19,10 +17,8 @@ atomic_tests: - name: Windows - Delete Windows Backup Catalog description: | Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - supported_platforms: - windows - executor: name: command_prompt elevation_required: true @@ -31,49 +27,47 @@ atomic_tests: - name: Windows - Disable Windows Recovery Console Repair description: | - Disables repair by the Windows Recovery Console on boot. + Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - supported_platforms: - windows - executor: name: command_prompt elevation_required: true command: | bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no + cleanup_command: | + bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures + bcdedit.exe /set {default} recoveryenabled yes - name: Windows - Overwrite file with Sysinternals SDelete description: | Overwrites and deletes a file using Sysinternals SDelete. Requires the download of either Sysinternals Suite or the individual SDelete utility. - supported_platforms: - windows - input_arguments: - file_to_overwrite: - description: Path of file to overwrite and remove + sdelete_path: + description: Path to sdelete.exe type: Path - default: C:\some\file.txt - + default: "" executor: - name: command_prompt + name: powershell command: | - sdelete.exe #{file_to_overwrite} + New-Item $env:TEMP\T1485.txt + Set-Location #{sdelete_path} + .\sdelete.exe -accepteula $env:TEMP\T1485.txt - name: macOS/Linux - Overwrite file with DD description: | Overwrites and deletes a file using DD. - To stop the test, break the command with CTRL/CMD+C. supported_platforms: - centos - linux - macos - ubuntu - input_arguments: overwrite_source: description: Path of data source to overwrite with @@ -83,7 +77,6 @@ atomic_tests: description: Path of file to overwrite and remove type: Path default: /var/log/syslog - executor: name: bash command: | @@ -92,11 +85,10 @@ atomic_tests: - name: Windows - Delete Backup Files description: | Deletes backup files in a manner similar to Ryuk ransomware. - supported_platforms: - windows - executor: name: command_prompt + elevation_required: true command: | - del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk \ No newline at end of file + del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk diff --git a/atomics/T1518/T1518.yaml b/atomics/T1518/T1518.yaml index dc653bfa..43f3e7b5 100644 --- a/atomics/T1518/T1518.yaml +++ b/atomics/T1518/T1518.yaml @@ -6,10 +6,8 @@ atomic_tests: - name: Find and Display Internet Explorer Browser Version description: | Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors - supported_platforms: - windows - executor: name: command_prompt elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false @@ -19,13 +17,11 @@ atomic_tests: - name: Applications Installed description: | Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors - supported_platforms: - windows - executor: - name: command_prompt + name: powershell elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false command: | # these are the actual attack commands, at least one command must be provided - POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize" - powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize" + Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize + Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize