diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 68f07fb3..90337d18 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -55098,13 +55098,11 @@ discovery: name: command_prompt - name: Griffon Recon auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370 - description: "Griffon is a sophisticated tool believed to be in use by one of - more \"APT\" groups. This atomic is for detecting, specifically, the reconnaissance - part of the tool.\nThis script used here was reduced by security researcher - Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d), - \nand it gives the exact same recon behavior as the original (minus the C2 - interaction). \nFor more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon - and https://attack.mitre.org/software/S0417/" + description: "This script emulates the reconnaissance script seen in used by + Griffon and was modified by security researcher Kirk Sayre \nin order simply + print the recon results to the screen as opposed to exfiltrating them. [Script](https://gist.github.com/kirk-sayre-work/7cb5bf4e2c7c77fa5684ddc17053f1e5). + \ \nFor more information see also [https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon](https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon) + and [https://attack.mitre.org/software/S0417/](https://attack.mitre.org/software/S0417/)" supported_platforms: - windows input_arguments: diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index 54ee29d7..67a38b2a 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -285,10 +285,9 @@ REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
## Atomic Test #9 - Griffon Recon -Griffon is a sophisticated tool believed to be in use by one of more "APT" groups. This atomic is for detecting, specifically, the reconnaissance part of the tool. -This script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d), -and it gives the exact same recon behavior as the original (minus the C2 interaction). -For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon and https://attack.mitre.org/software/S0417/ +This script emulates the reconnaissance script seen in used by Griffon and was modified by security researcher Kirk Sayre +in order simply print the recon results to the screen as opposed to exfiltrating them. [Script](https://gist.github.com/kirk-sayre-work/7cb5bf4e2c7c77fa5684ddc17053f1e5). +For more information see also [https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon](https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon) and [https://attack.mitre.org/software/S0417/](https://attack.mitre.org/software/S0417/) **Supported Platforms:** Windows