diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index a89b7ae6..fc6cff2d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -92743,7 +92743,7 @@ command-and-control: - name: Download a File with Windows Defender MpCmdRun.exe auto_generated_guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc description: | - Uses the Windows Defender to download a file from the internet (must have version 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 installed). + Uses Windows Defender MpCmdRun.exe to download a file from the internet (must have version 4.18 installed). The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory. @@ -92759,18 +92759,13 @@ command-and-control: description: Location to save downloaded file type: Path default: "%temp%\\Atomic-license.txt" - dependency_executor_name: powershell dependencies: - - description: 'Must have one of these Windows Defender versions installed: - 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9' + - description: Must have a Windows Defender version with MpCmdRun.exe installed prereq_command: | - $retVal = 1 - foreach ($version in @("4.18.2007.8-0","4.18.2007.9","4.18.2009.9")){ - if (Test-Path "$env:ProgramData\Microsoft\Windows Defender\Platform\$version") { $retVal = 0} - } - exit $retVal - get_prereq_command: Write-Host "Windows Defender verion 4.18.2007.8-0, 4.18.2007.9, - or 4.18.2009.9 must be installed manually" + cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*" + MpCmdRun.exe /? + get_prereq_command: Echo "A version of Windows Defender with MpCmdRun.exe + must be installed manually" executor: command: | cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*" diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 52dc43ca..48302cea 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -512,7 +512,7 @@ del C:\\svchost.exe >nul 2>&1
## Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe -Uses the Windows Defender to download a file from the internet (must have version 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 installed). +Uses Windows Defender MpCmdRun.exe to download a file from the internet (must have version 4.18 installed). The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory. @@ -550,19 +550,16 @@ del %temp%\MpCmdRun.log >nul 2>&1 -#### Dependencies: Run with `powershell`! -##### Description: Must have one of these Windows Defender versions installed: 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 +#### Dependencies: Run with `command_prompt`! +##### Description: Must have a Windows Defender version with MpCmdRun.exe installed ##### Check Prereq Commands: -```powershell -$retVal = 1 -foreach ($version in @("4.18.2007.8-0","4.18.2007.9","4.18.2009.9")){ - if (Test-Path "$env:ProgramData\Microsoft\Windows Defender\Platform\$version") { $retVal = 0} -} -exit $retVal +```cmd +cd "%ProgramData%\Microsoft\Windows Defender\platform\4.18*" +MpCmdRun.exe /? ``` ##### Get Prereq Commands: -```powershell -Write-Host "Windows Defender verion 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 must be installed manually" +```cmd +Echo "A version of Windows Defender with MpCmdRun.exe must be installed manually" ```