island: Move T1216's details from T1216.py to attack_schema.py so that it's
shown in the config instead of the ATT&CK report
This commit is contained in:
parent
ba2207b21d
commit
9564fb1aaa
|
@ -214,9 +214,10 @@ SCHEMA = {
|
|||
"value": False,
|
||||
"necessary": False,
|
||||
"link": "https://attack.mitre.org/techniques/T1216",
|
||||
"description": "Adversaries may use scripts signed with "
|
||||
"trusted certificates to "
|
||||
"proxy execution of malicious files on Windows systems.",
|
||||
"description": "Adversaries may use scripts signed with trusted certificates "
|
||||
"to proxy execution of malicious files on Windows systems. This behavior could "
|
||||
"be abused by adversaries to execute malicious files that could bypass "
|
||||
"application control and signature validation on systems.",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
|
@ -6,22 +6,14 @@ class T1216(PostBreachTechnique):
|
|||
tech_id = "T1216"
|
||||
unscanned_msg = (
|
||||
"Monkey didn't attempt to execute an arbitrary program with the help of a "
|
||||
+ "pre-existing signed script since it didn't run on any Windows machines. "
|
||||
+ "If successful, this behavior could be abused by adversaries to execute malicious "
|
||||
"files that could " + "bypass application control and signature validation on "
|
||||
"systems."
|
||||
"pre-existing signed script since it didn't run on any Windows machines. "
|
||||
)
|
||||
scanned_msg = (
|
||||
"Monkey attempted to execute an arbitrary program with the help of a "
|
||||
+ "pre-existing signed script on Windows but failed. "
|
||||
+ "If successful, this behavior could be abused by adversaries to execute malicious "
|
||||
"files that could " + "bypass application control and signature validation on "
|
||||
"systems."
|
||||
"pre-existing signed script on Windows but failed. "
|
||||
)
|
||||
used_msg = (
|
||||
"Monkey executed an arbitrary program with the help of a pre-existing signed script "
|
||||
"on Windows. "
|
||||
+ "This behavior could be abused by adversaries to execute malicious files that could "
|
||||
+ "bypass application control and signature validation on systems."
|
||||
)
|
||||
pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]
|
||||
|
|
Loading…
Reference in New Issue