diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 87171f76..f3166cf3 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -3554,7 +3554,8 @@ persistence:
atomic_tests:
- name: Append malicious start-process cmdlet
description: 'Appends a start process cmdlet to the current user''s powershell
- profile pofile that points to a malicious executable
+ profile pofile that points to a malicious executable. Upon execution, calc.exe
+ will be launched.
'
supported_platforms:
@@ -3568,19 +3569,19 @@ persistence:
description: Powershell profile to use
type: String
default: "$profile"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: Ensure a powershell profile exists for the current user
+ prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1}'
+ get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force'
executor:
name: powershell
elevation_required: false
command: |
- if(Test-Path #{ps_profile}){
- }
- else{
- New-Item -Path #{ps_profile} -Type File -Force
- }
- $malicious = "Start-Process #{exe_path}"
- Add-Content #{ps_profile} -Value $malicious
- powershell -command exit
- cleanup_command: |-
+ Add-Content #{ps_profile} -Value ""
+ Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
+ powershell -Command exit
+ cleanup_command: |
$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile
T1163:
@@ -10758,6 +10759,9 @@ defense-evasion:
- name: Parent PID Spoofing using PowerShell
description: |
This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process.
+ Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and
+ calc.exe will be launched.
+
Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
supported_platforms:
- windows
@@ -14607,6 +14611,9 @@ privilege-escalation:
- name: Parent PID Spoofing using PowerShell
description: |
This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process.
+ Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and
+ calc.exe will be launched.
+
Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
supported_platforms:
- windows
@@ -14798,7 +14805,8 @@ privilege-escalation:
atomic_tests:
- name: Append malicious start-process cmdlet
description: 'Appends a start process cmdlet to the current user''s powershell
- profile pofile that points to a malicious executable
+ profile pofile that points to a malicious executable. Upon execution, calc.exe
+ will be launched.
'
supported_platforms:
@@ -14812,19 +14820,19 @@ privilege-escalation:
description: Powershell profile to use
type: String
default: "$profile"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: Ensure a powershell profile exists for the current user
+ prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1}'
+ get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force'
executor:
name: powershell
elevation_required: false
command: |
- if(Test-Path #{ps_profile}){
- }
- else{
- New-Item -Path #{ps_profile} -Type File -Force
- }
- $malicious = "Start-Process #{exe_path}"
- Add-Content #{ps_profile} -Value $malicious
- powershell -command exit
- cleanup_command: |-
+ Add-Content #{ps_profile} -Value ""
+ Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
+ powershell -Command exit
+ cleanup_command: |
$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile
T1055:
@@ -15850,10 +15858,9 @@ impact:
identifier: T1531
atomic_tests:
- name: Change User Password - Windows
- description: 'Changes the user password to hinder access attempts. Seen in use
- by LockerGoga.
-
-'
+ description: |
+ Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with
+ the password "HuHuHUHoHo283283".
supported_platforms:
- windows
input_arguments:
@@ -15883,7 +15890,8 @@ impact:
'
- name: Delete User - Windows
- description: 'Deletes a user account to prevent access.
+ description: 'Deletes a user account to prevent access. Upon execution, run
+ the command "net user" to verify that the new "AtomicUser" account was deleted.
'
supported_platforms:
@@ -15904,7 +15912,9 @@ impact:
executor:
name: command_prompt
elevation_required: true
- command: 'net.exe user #{user_account} /delete'
+ command: 'net.exe user #{user_account} /delete
+
+'
T1485:
technique:
x_mitre_data_sources:
@@ -16590,7 +16600,9 @@ impact:
executor:
name: bash
elevation_required: true
- command: "halt -p \n"
+ command: 'halt -p
+
+'
- name: Reboot System via `halt` - Linux
description: 'This test restarts a Linux system using `halt`.
@@ -16600,7 +16612,9 @@ impact:
executor:
name: bash
elevation_required: true
- command: "halt --reboot \n"
+ command: 'halt --reboot
+
+'
- name: Shutdown System via `poweroff` - Linux
description: 'This test shuts down a Linux system using `poweroff`.
@@ -16610,7 +16624,9 @@ impact:
executor:
name: bash
elevation_required: true
- command: "poweroff \n"
+ command: 'poweroff
+
+'
- name: Reboot System via `poweroff` - Linux
description: 'This test restarts a Linux system using `poweroff`.
@@ -16620,7 +16636,9 @@ impact:
executor:
name: bash
elevation_required: true
- command: 'poweroff --reboot '
+ command: 'poweroff --reboot
+
+'
discovery:
T1087:
technique:
@@ -18559,11 +18577,9 @@ discovery:
identifier: T1518
atomic_tests:
- name: Find and Display Internet Explorer Browser Version
- description: 'Adversaries may attempt to get a listing of non-security related
- software that is installed on the system. Adversaries may use the information
- from Software Discovery during automated discovery to shape follow-on behaviors
-
-'
+ description: |
+ Query the registry to determine the version of internet explorer installed on the system.
+ Upon execution, version information about internet explorer will be displayed.
supported_platforms:
- windows
executor:
@@ -18574,11 +18590,9 @@ discovery:
'
- name: Applications Installed
- description: 'Adversaries may attempt to get a listing of all software that
- is installed on the system. Adversaries may use the information from Software
- Discovery during automated discovery to shape follow-on behaviors
-
-'
+ description: |
+ Query the registry to determine software and versions installed on the system. Upon execution a table of
+ software name and version information will be displayed.
supported_platforms:
- windows
executor:
diff --git a/atomics/T1502/T1502.md b/atomics/T1502/T1502.md
index 1f6dbeb7..5030475c 100644
--- a/atomics/T1502/T1502.md
+++ b/atomics/T1502/T1502.md
@@ -15,6 +15,9 @@ Explicitly assigning the PPID may also enable [Privilege Escalation](https://att
## Atomic Test #1 - Parent PID Spoofing using PowerShell
This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process.
+Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and
+calc.exe will be launched.
+
Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
**Supported Platforms:** Windows
diff --git a/atomics/T1504/T1504.md b/atomics/T1504/T1504.md
index 05fa4c64..7e243225 100644
--- a/atomics/T1504/T1504.md
+++ b/atomics/T1504/T1504.md
@@ -14,7 +14,7 @@ An adversary may also be able to escalate privileges if a script in a PowerShell
## Atomic Test #1 - Append malicious start-process cmdlet
-Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable
+Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
@@ -32,14 +32,9 @@ Appends a start process cmdlet to the current user's powershell profile pofile t
```powershell
-if(Test-Path #{ps_profile}){
-}
-else{
- New-Item -Path #{ps_profile} -Type File -Force
-}
-$malicious = "Start-Process #{exe_path}"
-Add-Content #{ps_profile} -Value $malicious
-powershell -command exit
+Add-Content #{ps_profile} -Value ""
+Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
+powershell -Command exit
```
#### Cleanup Commands:
@@ -50,6 +45,18 @@ Set-Content $profile -Value $oldprofile
+#### Dependencies: Run with `powershell`!
+##### Description: Ensure a powershell profile exists for the current user
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path #{ps_profile} -Type File -Force
+```
+
+
diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md
index 36b4531a..b22d2b7c 100644
--- a/atomics/T1518/T1518.md
+++ b/atomics/T1518/T1518.md
@@ -12,7 +12,8 @@
## Atomic Test #1 - Find and Display Internet Explorer Browser Version
-Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
+Query the registry to determine the version of internet explorer installed on the system.
+Upon execution, version information about internet explorer will be displayed.
**Supported Platforms:** Windows
@@ -36,7 +37,8 @@ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersio
## Atomic Test #2 - Applications Installed
-Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
+Query the registry to determine software and versions installed on the system. Upon execution a table of
+software name and version information will be displayed.
**Supported Platforms:** Windows
diff --git a/atomics/T1531/T1531.md b/atomics/T1531/T1531.md
index a41ee076..61f31b73 100644
--- a/atomics/T1531/T1531.md
+++ b/atomics/T1531/T1531.md
@@ -14,7 +14,8 @@ Adversaries may also subsequently log off and/or reboot boxes to set malicious c
## Atomic Test #1 - Change User Password - Windows
-Changes the user password to hinder access attempts. Seen in use by LockerGoga.
+Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with
+the password "HuHuHUHoHo283283".
**Supported Platforms:** Windows
@@ -61,7 +62,7 @@ net user #{user_account} #{new_user_password} /add
## Atomic Test #2 - Delete User - Windows
-Deletes a user account to prevent access.
+Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.
**Supported Platforms:** Windows