diff --git a/atomics/T1037/T1037.md b/atomics/T1037/T1037.md
index 50eea1fe..eec31945 100644
--- a/atomics/T1037/T1037.md
+++ b/atomics/T1037/T1037.md
@@ -28,7 +28,8 @@ Mac allows login and logoff hooks to be run as root whenever a specific user log
## Atomic Test #1 - Logon Scripts
-Adds a registry value to run batch script created in the C:\Windows\Temp directory.
+Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
+that can be viewed in the Registry Editor.
**Supported Platforms:** Windows
@@ -38,7 +39,7 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| script_path | Path to .bat file | String | $env:SystemRoot\Temp\art.bat|
+| script_path | Path to .bat file | String | %temp%\art.bat|
| script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037-log.txt|
@@ -46,15 +47,15 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo
```cmd
-echo cmd /c "#{script_command}" > #{script_path}
-REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
+echo "#{script_command}" > #{script_path}
+REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
```
#### Cleanup Commands:
```cmd
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
-del #{script_path} >nul 2>nul
-del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
+del #{script_path} >nul 2>&1
+del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
```
@@ -65,7 +66,8 @@ del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
## Atomic Test #2 - Scheduled Task Startup Script
-Run an exe on user logon or system startup
+Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
+the tasks, open the Task Scheduler and look in the Active Tasks pane.
**Supported Platforms:** Windows
@@ -129,7 +131,9 @@ Mac logon script
## Atomic Test #4 - Supicious vbs file run from startup Folder
-vbs files can be placed in and ran from the startup folder to maintain persistance
+vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1137 Hello, World VBS!" will be displayed twice.
+Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
+folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
@@ -162,7 +166,9 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbssta
## Atomic Test #5 - Supicious jse file run from startup Folder
jse files can be placed in and ran from the startup folder to maintain persistance.
-Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice.
+Upon execution, "T1137 Hello, World JSE!" will be displayed twice.
+Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
+folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
@@ -195,7 +201,8 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
## Atomic Test #6 - Supicious bat file run from startup Folder
bat files can be placed in and executed from the startup folder to maintain persistance.
-Upon execution, cmd will be run and immediately closed.
+Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
+folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
diff --git a/atomics/T1069/T1069.md b/atomics/T1069/T1069.md
index 32591d6a..5761eab7 100644
--- a/atomics/T1069/T1069.md
+++ b/atomics/T1069/T1069.md
@@ -60,7 +60,8 @@ groups
## Atomic Test #2 - Basic Permission Groups Discovery Windows
-Basic Permission Groups Discovery for Windows
+Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
+information will be displayed.
**Supported Platforms:** Windows
@@ -86,7 +87,8 @@ net group "domain admins" /domain
## Atomic Test #3 - Permission Groups Discovery PowerShell
-Permission Groups Discovery utilizing PowerShell
+Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
+information will be displayed.
**Supported Platforms:** Windows
@@ -116,7 +118,8 @@ get-ADPrincipalGroupMembership #{user} | select name
## Atomic Test #4 - Elevated group enumeration using net group
-Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups
+Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
+test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
**Supported Platforms:** Windows
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 932c7c0b..56d05aa9 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -2758,17 +2758,16 @@ persistence:
identifier: T1037
atomic_tests:
- name: Logon Scripts
- description: 'Adds a registry value to run batch script created in the C:\Windows\Temp
- directory.
-
-'
+ description: |
+ Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
+ that can be viewed in the Registry Editor.
supported_platforms:
- windows
input_arguments:
script_path:
description: Path to .bat file
type: String
- default: "$env:SystemRoot\\Temp\\art.bat"
+ default: "%temp%\\art.bat"
script_command:
description: Command To Execute
type: String
@@ -2777,16 +2776,16 @@ persistence:
name: command_prompt
elevation_required: false
command: |
- echo cmd /c "#{script_command}" > #{script_path}
- REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
+ echo "#{script_command}" > #{script_path}
+ REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
cleanup_command: |
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
- del #{script_path} >nul 2>nul
- del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
+ del #{script_path} >nul 2>&1
+ del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
- name: Scheduled Task Startup Script
- description: 'Run an exe on user logon or system startup
-
-'
+ description: |
+ Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
+ the tasks, open the Task Scheduler and look in the Active Tasks pane.
supported_platforms:
- windows
executor:
@@ -2814,10 +2813,11 @@ persistence:
Populate the plist with the location of your shell script\n\n\t defaults
write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n"
- name: Supicious vbs file run from startup Folder
- description: 'vbs files can be placed in and ran from the startup folder to
- maintain persistance
-
-'
+ description: "vbs files can be placed in and ran from the startup folder to
+ maintain persistance. Upon execution, \"T1137 Hello, World VBS!\" will be
+ displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
+ Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
+ and the user logs in.\n"
supported_platforms:
- windows
executor:
@@ -2832,9 +2832,11 @@ persistence:
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
- name: Supicious jse file run from startup Folder
- description: |
- jse files can be placed in and ran from the startup folder to maintain persistance.
- Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice.
+ description: "jse files can be placed in and ran from the startup folder to
+ maintain persistance.\nUpon execution, \"T1137 Hello, World JSE!\" will be
+ displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
+ Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
+ and the user logs in.\n"
supported_platforms:
- windows
executor:
@@ -2851,7 +2853,8 @@ persistence:
- name: Supicious bat file run from startup Folder
description: |
bat files can be placed in and executed from the startup folder to maintain persistance.
- Upon execution, cmd will be run and immediately closed.
+ Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
+ folder and will also run when the computer is restarted and the user logs in.
supported_platforms:
- windows
executor:
@@ -18008,9 +18011,9 @@ discovery:
dscl . -list /Groups
groups
- name: Basic Permission Groups Discovery Windows
- description: 'Basic Permission Groups Discovery for Windows
-
-'
+ description: |
+ Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
+ information will be displayed.
supported_platforms:
- windows
executor:
@@ -18021,9 +18024,9 @@ discovery:
net group /domain
net group "domain admins" /domain
- name: Permission Groups Discovery PowerShell
- description: 'Permission Groups Discovery utilizing PowerShell
-
-'
+ description: |
+ Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
+ information will be displayed.
supported_platforms:
- windows
input_arguments:
@@ -18038,10 +18041,9 @@ discovery:
get-localgroup
get-ADPrincipalGroupMembership #{user} | select name
- name: Elevated group enumeration using net group
- description: 'Runs "net group" command including command aliases and loose typing
- to simulate enumeration/discovery of high value domain groups
-
-'
+ description: |
+ Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
+ test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
supported_platforms:
- windows
executor:
@@ -25860,17 +25862,16 @@ lateral-movement:
identifier: T1037
atomic_tests:
- name: Logon Scripts
- description: 'Adds a registry value to run batch script created in the C:\Windows\Temp
- directory.
-
-'
+ description: |
+ Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
+ that can be viewed in the Registry Editor.
supported_platforms:
- windows
input_arguments:
script_path:
description: Path to .bat file
type: String
- default: "$env:SystemRoot\\Temp\\art.bat"
+ default: "%temp%\\art.bat"
script_command:
description: Command To Execute
type: String
@@ -25879,16 +25880,16 @@ lateral-movement:
name: command_prompt
elevation_required: false
command: |
- echo cmd /c "#{script_command}" > #{script_path}
- REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
+ echo "#{script_command}" > #{script_path}
+ REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
cleanup_command: |
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
- del #{script_path} >nul 2>nul
- del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
+ del #{script_path} >nul 2>&1
+ del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
- name: Scheduled Task Startup Script
- description: 'Run an exe on user logon or system startup
-
-'
+ description: |
+ Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
+ the tasks, open the Task Scheduler and look in the Active Tasks pane.
supported_platforms:
- windows
executor:
@@ -25916,10 +25917,11 @@ lateral-movement:
Populate the plist with the location of your shell script\n\n\t defaults
write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n"
- name: Supicious vbs file run from startup Folder
- description: 'vbs files can be placed in and ran from the startup folder to
- maintain persistance
-
-'
+ description: "vbs files can be placed in and ran from the startup folder to
+ maintain persistance. Upon execution, \"T1137 Hello, World VBS!\" will be
+ displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
+ Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
+ and the user logs in.\n"
supported_platforms:
- windows
executor:
@@ -25934,9 +25936,11 @@ lateral-movement:
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
- name: Supicious jse file run from startup Folder
- description: |
- jse files can be placed in and ran from the startup folder to maintain persistance.
- Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice.
+ description: "jse files can be placed in and ran from the startup folder to
+ maintain persistance.\nUpon execution, \"T1137 Hello, World JSE!\" will be
+ displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
+ Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
+ and the user logs in.\n"
supported_platforms:
- windows
executor:
@@ -25953,7 +25957,8 @@ lateral-movement:
- name: Supicious bat file run from startup Folder
description: |
bat files can be placed in and executed from the startup folder to maintain persistance.
- Upon execution, cmd will be run and immediately closed.
+ Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
+ folder and will also run when the computer is restarted and the user logs in.
supported_platforms:
- windows
executor: