From c6788c573676bfefbd87b6543ca6ccadeccab44e Mon Sep 17 00:00:00 2001 From: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com> Date: Mon, 16 Mar 2020 17:32:25 -0400 Subject: [PATCH] Atomic test bug fixes/consistency improvements (#884) Co-authored-by: Carrie Roberts --- atomics/T1048/T1048.yaml | 22 ---------------------- atomics/T1055/T1055.yaml | 4 ++-- atomics/T1058/T1058.yaml | 2 +- atomics/T1095/T1095.yaml | 6 +++--- atomics/T1099/T1099.yaml | 2 +- atomics/T1107/T1107.yaml | 5 ----- atomics/T1113/T1113.yaml | 9 ++++++--- atomics/T1134/T1134.yaml | 5 ----- atomics/T1136/T1136.yaml | 4 ---- atomics/T1143/T1143.yaml | 4 ---- atomics/T1170/T1170.yaml | 4 ++-- atomics/T1500/T1500.yaml | 4 ++-- 12 files changed, 17 insertions(+), 54 deletions(-) diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml index 1d512242..f5917a88 100644 --- a/atomics/T1048/T1048.yaml +++ b/atomics/T1048/T1048.yaml @@ -18,14 +18,6 @@ atomic_tests: description: target SSH domain type: url default: target.example.com - user_name: - description: username for domain - type: string - default: atomic - password: - description: password for user - type: string - default: atomic executor: name: sh @@ -119,20 +111,6 @@ atomic_tests: supported_platforms: - linux - input_arguments: - domain: - description: target DNS domain - type: url - default: ns2.example.com - input_file: - description: Path to file to be exfiltrated. - type: Path - default: ./example.txt - output_file: - description: Filename of the data exfiltrated. - type: String - default: received_data.txt - executor: name: manual steps: | diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index 4bdac8c9..0456250b 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -17,7 +17,7 @@ atomic_tests: default: PathToAtomicsFolder\T1055\src\x64\T1055.dll process_id: description: PID of input_arguments - type: Int + type: Integer default: (get-process spoolsv).id dependency_executor_name: powershell @@ -51,7 +51,7 @@ atomic_tests: default: T1055.dll process_id: description: PID of input_arguments - type: Int + type: Integer default: (get-process spoolsv).id executor: name: powershell diff --git a/atomics/T1058/T1058.yaml b/atomics/T1058/T1058.yaml index 6a202256..a02585d3 100644 --- a/atomics/T1058/T1058.yaml +++ b/atomics/T1058/T1058.yaml @@ -14,7 +14,7 @@ atomic_tests: input_arguments: weak_service_name: description: weak service check - type: Registry + type: String default: weakservicename executor: diff --git a/atomics/T1095/T1095.yaml b/atomics/T1095/T1095.yaml index fb1c664e..e6939c12 100644 --- a/atomics/T1095/T1095.yaml +++ b/atomics/T1095/T1095.yaml @@ -12,7 +12,7 @@ atomic_tests: input_arguments: server_ip: description: The IP address of the listening server - type: ip + type: string default: 127.0.0.1 executor: name: powershell @@ -79,11 +79,11 @@ atomic_tests: input_arguments: server_ip: description: The IP address or domain name of the listening server - type: ip + type: string default: 127.0.0.1 server_port: description: The port for the C2 connection - type: port number + type: integer default: 80 executor: name: powershell diff --git a/atomics/T1099/T1099.yaml b/atomics/T1099/T1099.yaml index 0f5b6aa7..36a7cd1e 100644 --- a/atomics/T1099/T1099.yaml +++ b/atomics/T1099/T1099.yaml @@ -80,7 +80,7 @@ atomic_tests: executor: name: sh command: | - touch -acmr #{reference_file_path} {target_file_path} + touch -acmr #{reference_file_path} #{target_file_path} - name: Windows - Modify file creation timestamp with PowerShell description: | diff --git a/atomics/T1107/T1107.yaml b/atomics/T1107/T1107.yaml index 70ec53da..a499be68 100644 --- a/atomics/T1107/T1107.yaml +++ b/atomics/T1107/T1107.yaml @@ -91,11 +91,6 @@ atomic_tests: Recursively delete the temporary directory and all files contained within it using Powershell supported_platforms: - windows - input_arguments: - folder_to_delete: - description: Path of folder to delete - type: Path - default: C:\Windows\Temp\victim-files-ps executor: name: powershell elevation_required: false diff --git a/atomics/T1113/T1113.yaml b/atomics/T1113/T1113.yaml index 56f1afaa..a6d3f4bf 100644 --- a/atomics/T1113/T1113.yaml +++ b/atomics/T1113/T1113.yaml @@ -16,7 +16,8 @@ atomic_tests: executor: name: bash elevation_required: false - command: screencapture #{output_file} + command: | + screencapture #{output_file} - name: Screencapture (silent) description: | @@ -31,7 +32,8 @@ atomic_tests: executor: name: bash elevation_required: false - command: screencapture -x #{output_file} + command: | + screencapture -x #{output_file} - name: X Windows Capture description: | @@ -61,4 +63,5 @@ atomic_tests: default: desktop.png executor: name: bash - command: import -window root #{output_file} + command: | + import -window root #{output_file} diff --git a/atomics/T1134/T1134.yaml b/atomics/T1134/T1134.yaml index 2ffdbb70..27368dff 100644 --- a/atomics/T1134/T1134.yaml +++ b/atomics/T1134/T1134.yaml @@ -9,11 +9,6 @@ atomic_tests: Requires Administrator Privileges To Execute Test supported_platforms: - windows - input_arguments: - target_user: - description: Username To Steal Token From - type: String - default: SYSTEM executor: name: powershell elevation_required: true diff --git a/atomics/T1136/T1136.yaml b/atomics/T1136/T1136.yaml index f0399a51..fb3f4dd4 100644 --- a/atomics/T1136/T1136.yaml +++ b/atomics/T1136/T1136.yaml @@ -13,10 +13,6 @@ atomic_tests: description: Username of the user to create type: String default: evil_user - comment: - description: Comment to record when creating the user - type: String - default: Evil Account executor: name: bash elevation_required: true diff --git a/atomics/T1143/T1143.yaml b/atomics/T1143/T1143.yaml index 40267d7b..8e82668e 100644 --- a/atomics/T1143/T1143.yaml +++ b/atomics/T1143/T1143.yaml @@ -15,10 +15,6 @@ atomic_tests: description: Command to launch calc.exe from a hidden PowerShell Window type: String default: powershell.exe -WindowStyle hidden calc.exe - powershell_process_name: - description: Name of the created process - type: string - default: calc executor: name: powershell diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml index 6717e498..6790ae56 100644 --- a/atomics/T1170/T1170.yaml +++ b/atomics/T1170/T1170.yaml @@ -26,7 +26,7 @@ atomic_tests: - windows input_arguments: - local_file: + local_file_path: description: Create a local VBScript file type: path default: C:\Temp\mshta_notepad.vbs @@ -34,7 +34,7 @@ atomic_tests: executor: name: command_prompt command: | - mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)") + mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""#{local_file_path}"")(window.close)") - name: Mshta executes VBScript to execute malicious command description: | diff --git a/atomics/T1500/T1500.yaml b/atomics/T1500/T1500.yaml index 8475e4ed..a81a5dfb 100644 --- a/atomics/T1500/T1500.yaml +++ b/atomics/T1500/T1500.yaml @@ -13,11 +13,11 @@ atomic_tests: input_arguments: input_file: description: C# code that launches calc.exe from a hidden cmd.exe Window - type: file + type: Path default: PathToAtomicsFolder\T1500\src\calc.cs output_file: description: Output compiled binary - type: file + type: Path default: C:\Windows\Temp\T1500.exe dependency_executor_name: powershell