security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

More test improvements (#732)

Browse Source 
* update tests

* T1518 improvements

* remove prereq commands

* fix typo

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Andrew Beers
2020-01-06 13:17:45 -08:00
committed by Carrie Roberts
parent 2156972ed0
commit a0b8d7e438
3 changed files with 17 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1518/T1518.yaml
+3 -7
View File
@@ -6,10 +6,8 @@ atomic_tests:
- name: Find and Display Internet Explorer Browser Version
description: |
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
@@ -19,13 +17,11 @@ atomic_tests:
- name: Applications Installed
description: |
Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
supported_platforms:
- windows
executor:
name: command_prompt
name: powershell
elevation_required: false # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
command: | # these are the actual attack commands, at least one command must be provided
POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize