Atomic test bug fixes/consistency improvements (#884)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1048/T1048.yaml

@@ -18,14 +18,6 @@ atomic_tests:
       description: target SSH domain
       type: url
       default: target.example.com
-    user_name:
-      description: username for domain
-      type: string
-      default: atomic
-    password:
-      description: password for user
-      type: string
-      default: atomic
 
   executor:
     name: sh
@@ -119,20 +111,6 @@ atomic_tests:
   supported_platforms:
     - linux
 
-  input_arguments:
-    domain: 
-      description: target DNS domain
-      type: url
-      default: ns2.example.com
-    input_file:
-      description: Path to file to be exfiltrated.
-      type: Path
-      default: ./example.txt
-    output_file:
-      description: Filename of the data exfiltrated.
-      type: String
-      default: received_data.txt
-
   executor:
     name: manual
     steps: |

atomics/T1055/T1055.yaml

@@ -17,7 +17,7 @@ atomic_tests:
       default: PathToAtomicsFolder\T1055\src\x64\T1055.dll
     process_id:
       description: PID of input_arguments
-      type: Int
+      type: Integer
       default: (get-process spoolsv).id
   
   dependency_executor_name: powershell
@@ -51,7 +51,7 @@ atomic_tests:
       default: T1055.dll
     process_id:
       description: PID of input_arguments
-      type: Int
+      type: Integer
       default: (get-process spoolsv).id
   executor:
     name: powershell

atomics/T1058/T1058.yaml

@@ -14,7 +14,7 @@ atomic_tests:
   input_arguments:
     weak_service_name:
       description: weak service check
-      type: Registry
+      type: String
       default: weakservicename
 
   executor:

atomics/T1095/T1095.yaml

@@ -12,7 +12,7 @@ atomic_tests:
   input_arguments:
     server_ip: 
       description: The IP address of the listening server
-      type: ip
+      type: string
       default: 127.0.0.1 
   executor:
     name: powershell
@@ -79,11 +79,11 @@ atomic_tests:
   input_arguments:
     server_ip: 
       description: The IP address or domain name of the listening server
-      type: ip
+      type: string
       default: 127.0.0.1
     server_port:
       description: The port for the C2 connection
-      type: port number
+      type: integer
       default: 80
   executor:
     name: powershell

atomics/T1099/T1099.yaml

@@ -80,7 +80,7 @@ atomic_tests:
   executor:
     name: sh
     command: |
-      touch -acmr #{reference_file_path} {target_file_path}
+      touch -acmr #{reference_file_path} #{target_file_path}
 
 - name: Windows - Modify file creation timestamp with PowerShell
   description: |

atomics/T1107/T1107.yaml

@@ -91,11 +91,6 @@ atomic_tests:
     Recursively delete the temporary directory and all files contained within it using Powershell
   supported_platforms:
     - windows
-  input_arguments:
-    folder_to_delete:
-      description: Path of folder to delete
-      type: Path
-      default: C:\Windows\Temp\victim-files-ps
   executor:
     name: powershell
     elevation_required: false

atomics/T1113/T1113.yaml

@@ -16,7 +16,8 @@ atomic_tests:
   executor:
     name: bash
     elevation_required: false
-    command: screencapture #{output_file}
+    command: |
+      screencapture #{output_file}
 
 - name: Screencapture (silent)
   description: |
@@ -31,7 +32,8 @@ atomic_tests:
   executor:
     name: bash
     elevation_required: false
-    command: screencapture -x #{output_file}
+    command: |
+      screencapture -x #{output_file}
 
 - name: X Windows Capture
   description: |
@@ -61,4 +63,5 @@ atomic_tests:
       default: desktop.png
   executor:
     name: bash
-    command: import -window root #{output_file}
+    command: |
+      import -window root #{output_file}

atomics/T1134/T1134.yaml

@@ -9,11 +9,6 @@ atomic_tests:
     Requires Administrator Privileges To Execute Test
   supported_platforms:
     - windows
-  input_arguments:
-    target_user:
-      description: Username To Steal Token From
-      type: String
-      default: SYSTEM
   executor:
     name: powershell
     elevation_required: true

atomics/T1136/T1136.yaml

@@ -13,10 +13,6 @@ atomic_tests:
       description: Username of the user to create
       type: String
       default: evil_user
-    comment:
-      description: Comment to record when creating the user
-      type: String
-      default: Evil Account
   executor:
     name: bash
     elevation_required: true

atomics/T1143/T1143.yaml

@@ -15,10 +15,6 @@ atomic_tests:
       description: Command to launch calc.exe from a hidden PowerShell Window
       type: String
       default: powershell.exe -WindowStyle hidden calc.exe
-    powershell_process_name:
-      description: Name of the created process
-      type: string
-      default: calc
 
   executor:
     name: powershell

atomics/T1170/T1170.yaml

@@ -26,7 +26,7 @@ atomic_tests:
     - windows
 
   input_arguments:
-    local_file: 
+    local_file_path: 
       description: Create a local VBScript file
       type: path
       default: C:\Temp\mshta_notepad.vbs
@@ -34,7 +34,7 @@ atomic_tests:
   executor:
     name: command_prompt
     command: |
-      mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)")
+      mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)")
 
 - name: Mshta executes VBScript to execute malicious command
   description: |

atomics/T1500/T1500.yaml

@@ -13,11 +13,11 @@ atomic_tests:
   input_arguments:
     input_file:
       description: C# code that launches calc.exe from a hidden cmd.exe Window
-      type: file
+      type: Path
       default: PathToAtomicsFolder\T1500\src\calc.cs
     output_file:
       description: Output compiled binary
-      type: file
+      type: Path
       default: C:\Windows\Temp\T1500.exe
 
   dependency_executor_name: powershell