Generate docs from job=validate_atomics_generate_docs branch=master

2019-12-10 18:22:55 +00:00
parent 3293e54771
commit e11b77f02f
4 changed files with 32 additions and 12 deletions
@@ -4,8 +4,10 @@

 ## Atomic Tests

- [Atomic Test #1 - Find and Display Iinternet Explorer Browser Version](#atomic-test-1---find-and-display-internet-explorer-browser-version)
- [Atomic Test #2 - Find and Display Currently Installed Software](#atomic-test-2---applications-installed)
+- [Atomic Test #1 - Find and Display Internet Explorer Browser Version](#atomic-test-1---find-and-display-internet-explorer-browser-version)
+
+- [Atomic Test #2 - Applications Installed](#atomic-test-2---applications-installed)
+

 <br/>

@@ -15,26 +17,28 @@ Adversaries may attempt to get a listing of non-security related software that i
 **Supported Platforms:** Windows


-#### Run it with `command_prompt`!
+#### Run it with `command_prompt`! 
 ```
 reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
 ```

+
+
+<br/>
 <br/>

 ## Atomic Test #2 - Applications Installed
-Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors. This test queries two registry keys in Windows known to have installation information for programs.
-
-References:
-https://blogs.technet.microsoft.com/heyscriptingguy/2011/11/13/use-powershell-toquickly-find-installed-software
-https://blogs.technet.microsoft.com/heyscriptingguy/2013/11/15/use-powershell-to-find-installed-software
+Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors

 **Supported Platforms:** Windows


-#### Run it with `command_prompt`!
+#### Run it with `command_prompt`! 
 ```
 POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
 powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
 ```
+
+
+
 <br/>
@@ -606,7 +606,8 @@
  - Atomic Test #3: Security Software Discovery - ps [linux, macos]
  - Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
 - [T1518 Software Discovery](./T1518/T1518.md)
-  - Atomic Test #1: Find and Display Iinternet Explorer Browser Version [windows]
+  - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
+  - Atomic Test #2: Applications Installed [windows]
 - [T1082 System Information Discovery](./T1082/T1082.md)
  - Atomic Test #1: System Information Discovery [windows]
  - Atomic Test #2: System Information Discovery [linux, macos]
@@ -17668,7 +17668,7 @@ discovery:
      modified: '2019-09-27T19:03:39.143Z'
      identifier: T1518
    atomic_tests:
-    - name: Find and Display Iinternet Explorer Browser Version
+    - name: Find and Display Internet Explorer Browser Version
      description: 'Adversaries may attempt to get a listing of non-security related
        software that is installed on the system. Adversaries may use the information
        from Software Discovery during automated discovery to shape follow-on behaviors
@@ -17683,6 +17683,20 @@ discovery:
          /v svcVersion

 '
+    - name: Applications Installed
+      description: 'Adversaries may attempt to get a listing of all software that
+        is installed on the system. Adversaries may use the information from Software
+        Discovery during automated discovery to shape follow-on behaviors
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
+          powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize"
  T1082:
    technique:
      x_mitre_permissions_required:
@@ -431,7 +431,8 @@
  - Atomic Test #2: Security Software Discovery - powershell [windows]
  - Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
 - [T1518 Software Discovery](./T1518/T1518.md)
-  - Atomic Test #1: Find and Display Iinternet Explorer Browser Version [windows]
+  - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
+  - Atomic Test #2: Applications Installed [windows]
 - [T1082 System Information Discovery](./T1082/T1082.md)
  - Atomic Test #1: System Information Discovery [windows]
  - Atomic Test #6: Hostname Discovery (Windows) [windows]