Added new tests for techniques T1082 and T1070 (#2547)

Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Sep 29, 2023 · 247349e · 247349e
1 parent 9bf8093
commit 247349e
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/atomics/T1070/T1070.yaml b/atomics/T1070/T1070.yaml
@@ -15,3 +15,28 @@ atomic_tests:
       fsutil usn createjournal m=1000 a=100 c:
     name: command_prompt
     elevation_required: true
+- name: Indicator Manipulation using FSUtil
+  description: |
+    Finds a file by user name (if Disk Quotas are enabled), queries allocated ranges for a file, sets a file's short name, sets a file's valid data length, sets zero data for a file, or creates a new file. Upon execution, no output
+    will be displayed. More information about fsutil can be found at https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-file
+    - https://tria.ge/230601-x8x6bsgb24/behavioral2
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_to_manipulate:
+      description: Path of file to manipulate
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\T1070-2.txt
+    file_data_length:
+      description: Data length to setzero
+      type: integer
+      default: 10
+  executor:
+    command: |
+      if (-not (Test-Path "#{file_to_manipulate}")) { New-Item "#{file_to_manipulate}" -Force } 
+      echo "1234567890" > "#{file_to_manipulate}"
+      fsutil  file setZeroData offset=0 length=#{file_data_length} "#{file_to_manipulate}"
+    cleanup_command: |
+      rm "#{file_to_manipulate}"
+    name: powershell
+    elevation_required: false
diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml
@@ -371,6 +371,7 @@ atomic_tests:
       wmic path win32_VideoController get VideoModeDescription
       wmic OS get Caption,OSArchitecture,Version
       wmic DISKDRIVE get Caption
+      Get-WmiObject win32_bios
     name: command_prompt
 - name: Driver Enumeration using DriverQuery
   auto_generated_guid: bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9
@@ -397,3 +398,25 @@ atomic_tests:
       wscript.exe C:\Windows\System32\gatherNetworkInfo.vbs
     elevation_required: true
     name: command_prompt
+- name: Check computer location
+  description: |
+    Looks up country code configured in the registry, likely geofence. Upon execution, country code info will be displayed.
+    - https://tria.ge/210111-eaz8mqhgh6/behavioral1
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg query "HKEY_CURRENT_USER\Control Panel\International\Geo"
+    name: command_prompt
+- name: BIOS Information Discovery through Registry 
+  description: |
+    Looks up for BIOS information in the registry. BIOS information is often read in order to detect sandboxing environments.  Upon execution, BIOS information will be displayed.
+    - https://tria.ge/210111-eaz8mqhgh6/behavioral1
+    - https://evasions.checkpoint.com/techniques/registry.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v SystemBiosVersion
+      reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion
+    name: command_prompt