add "elevation_required" attribute to test definition yaml (redcanary…

…co#532) * add elevation_required attribute to test definition yaml * Update atomic_red_team/atomic_test_template.yaml Co-Authored-By: Brian Beyer <[email protected]> * Update atomics/T1089/T1089.yaml Co-Authored-By: Brian Beyer <[email protected]> * Update atomics/T1089/T1089.yaml Co-Authored-By: Brian Beyer <[email protected]>
Andras32 · Aug 29, 2019 · 9f535f0 · 9f535f0
1 parent 5f460b5
commit 9f535f0
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/atomic_red_team/atomic_doc_template.md.erb b/atomic_red_team/atomic_doc_template.md.erb
@@ -36,11 +36,11 @@ end.join(', ') %>
 <% end -%>
 
 <%- if test['executor']['name'] == 'manual' -%>
-#### Run it with these steps!
+#### Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
 <%= test['executor']['steps'] %>
 
 <%- else -%>
-#### Run it with `<%= test['executor']['name'] %>`!
+#### Run it with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
 ```
 <%= test['executor']['command'].to_s.strip %>
 ```

diff --git a/atomic_red_team/atomic_test_template.yaml b/atomic_red_team/atomic_test_template.yaml
@@ -22,5 +22,6 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
     command: |
       TODO
diff --git a/atomics/T1089/T1089.yaml b/atomics/T1089/T1089.yaml
@@ -108,6 +108,7 @@ atomic_tests:
       default: SysmonDrv
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       fltmc.exe unload #{sysmon_driver}
 
@@ -136,5 +137,6 @@ atomic_tests:
 
   executor:
     name: command_prompt
+    elevation_required: true
     command: |
       sysmon -u