security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1518 software discovery added test, cleanup (#718)

Browse Source 
* New test, spelling fix

Added a test for all software installed and minor spelling fix

* Spelling
This commit is contained in:
Micheal Fleck
2019-12-16 15:20:02 -06:00
committed by Carrie Roberts
parent b85fe323b8
commit de8df502af
2 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1518/T1518.md
+17 -1
View File
@@ -4,6 +4,7 @@
## Atomic Tests
- [Atomic Test #1 - Find and Display Internet Explorer Browser Version](#atomic-test-1---find-and-display-internet-explorer-browser-version)
- [Atomic Test #2 - Applications Installed](#atomic-test-2---applications-installed)
@@ -17,13 +18,28 @@ Adversaries may attempt to get a listing of non-security related software that i
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
#### Run it with `command_prompt`!
```
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
```
<br/>
## Atomic Test #2 - Applications Installed
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors. This test queries two registry keys in Windows known to have installation information for programs.
References:
https://blogs.technet.microsoft.com/heyscriptingguy/2011/11/13/use-powershell-toquickly-find-installed-software
https://blogs.technet.microsoft.com/heyscriptingguy/2013/11/15/use-powershell-to-find-installed-software
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
```
<br/>
<br/>
execution-frameworks/Invoke-AtomicRedTeam/README.md
+2 -2
View File
@@ -4,7 +4,7 @@
### Install Atomic Red Team
* Be sure to get permission and necessary approval before conducting test's. Unauthorized testing is a bad decision
* Be sure to get permission and necessary approval before conducting tests. Unauthorized testing is a bad decision
and can potentially be a resume-generating event.
* Set up a test machine that would be similar to the build in your environment. Be sure you have your collection/EDR
@@ -41,7 +41,7 @@ DownloadPath
Force
- Force the new installation removing any previous installations in -InstallPath. **BE CAREFUL this will delete the entire install path folder**
`Install-AtomicRedTeam -Force`
### Manual