From e11b77f02fa9639f933baba904ef28200f23ce48 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 10 Dec 2019 18:22:55 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1518/T1518.md | 22 +++++++++++++--------- atomics/index.md | 3 ++- atomics/index.yaml | 16 +++++++++++++++- atomics/windows-index.md | 3 ++- 4 files changed, 32 insertions(+), 12 deletions(-) diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md index 8402d23f..1b4f1e39 100644 --- a/atomics/T1518/T1518.md +++ b/atomics/T1518/T1518.md @@ -4,8 +4,10 @@ ## Atomic Tests -- [Atomic Test #1 - Find and Display Iinternet Explorer Browser Version](#atomic-test-1---find-and-display-internet-explorer-browser-version) -- [Atomic Test #2 - Find and Display Currently Installed Software](#atomic-test-2---applications-installed) +- [Atomic Test #1 - Find and Display Internet Explorer Browser Version](#atomic-test-1---find-and-display-internet-explorer-browser-version) + +- [Atomic Test #2 - Applications Installed](#atomic-test-2---applications-installed) +
@@ -15,26 +17,28 @@ Adversaries may attempt to get a listing of non-security related software that i **Supported Platforms:** Windows -#### Run it with `command_prompt`! +#### Run it with `command_prompt`! ``` reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion ``` + + +

## Atomic Test #2 - Applications Installed -Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors. This test queries two registry keys in Windows known to have installation information for programs. - -References: -https://blogs.technet.microsoft.com/heyscriptingguy/2011/11/13/use-powershell-toquickly-find-installed-software -https://blogs.technet.microsoft.com/heyscriptingguy/2013/11/15/use-powershell-to-find-installed-software +Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors **Supported Platforms:** Windows -#### Run it with `command_prompt`! +#### Run it with `command_prompt`! ``` POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize" powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize" ``` + + +
diff --git a/atomics/index.md b/atomics/index.md index c611b2af..15f2321c 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -606,7 +606,8 @@ - Atomic Test #3: Security Software Discovery - ps [linux, macos] - Atomic Test #4: Security Software Discovery - Sysmon Service [windows] - [T1518 Software Discovery](./T1518/T1518.md) - - Atomic Test #1: Find and Display Iinternet Explorer Browser Version [windows] + - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows] + - Atomic Test #2: Applications Installed [windows] - [T1082 System Information Discovery](./T1082/T1082.md) - Atomic Test #1: System Information Discovery [windows] - Atomic Test #2: System Information Discovery [linux, macos] diff --git a/atomics/index.yaml b/atomics/index.yaml index ae6ffce7..db915db8 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -17668,7 +17668,7 @@ discovery: modified: '2019-09-27T19:03:39.143Z' identifier: T1518 atomic_tests: - - name: Find and Display Iinternet Explorer Browser Version + - name: Find and Display Internet Explorer Browser Version description: 'Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors @@ -17683,6 +17683,20 @@ discovery: /v svcVersion ' + - name: Applications Installed + description: 'Adversaries may attempt to get a listing of all software that + is installed on the system. Adversaries may use the information from Software + Discovery during automated discovery to shape follow-on behaviors + +' + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: false + command: | + POWERSHELL.EXE "Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize" + powershell.exe "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize" T1082: technique: x_mitre_permissions_required: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 5cc9a9eb..a6eb4276 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -431,7 +431,8 @@ - Atomic Test #2: Security Software Discovery - powershell [windows] - Atomic Test #4: Security Software Discovery - Sysmon Service [windows] - [T1518 Software Discovery](./T1518/T1518.md) - - Atomic Test #1: Find and Display Iinternet Explorer Browser Version [windows] + - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows] + - Atomic Test #2: Applications Installed [windows] - [T1082 System Information Discovery](./T1082/T1082.md) - Atomic Test #1: System Information Discovery [windows] - Atomic Test #6: Hostname Discovery (Windows) [windows]