island: Move T1216's details from T1216.py to attack_schema.py so that it's

shown in the config instead of the ATT&CK report
This commit is contained in:
Shreya Malviya 2021-09-22 18:23:17 +05:30
parent ba2207b21d
commit 9564fb1aaa
2 changed files with 6 additions and 13 deletions

View File

@ -214,9 +214,10 @@ SCHEMA = {
"value": False, "value": False,
"necessary": False, "necessary": False,
"link": "https://attack.mitre.org/techniques/T1216", "link": "https://attack.mitre.org/techniques/T1216",
"description": "Adversaries may use scripts signed with " "description": "Adversaries may use scripts signed with trusted certificates "
"trusted certificates to " "to proxy execution of malicious files on Windows systems. This behavior could "
"proxy execution of malicious files on Windows systems.", "be abused by adversaries to execute malicious files that could bypass "
"application control and signature validation on systems.",
}, },
}, },
}, },

View File

@ -6,22 +6,14 @@ class T1216(PostBreachTechnique):
tech_id = "T1216" tech_id = "T1216"
unscanned_msg = ( unscanned_msg = (
"Monkey didn't attempt to execute an arbitrary program with the help of a " "Monkey didn't attempt to execute an arbitrary program with the help of a "
+ "pre-existing signed script since it didn't run on any Windows machines. " "pre-existing signed script since it didn't run on any Windows machines. "
+ "If successful, this behavior could be abused by adversaries to execute malicious "
"files that could " + "bypass application control and signature validation on "
"systems."
) )
scanned_msg = ( scanned_msg = (
"Monkey attempted to execute an arbitrary program with the help of a " "Monkey attempted to execute an arbitrary program with the help of a "
+ "pre-existing signed script on Windows but failed. " "pre-existing signed script on Windows but failed. "
+ "If successful, this behavior could be abused by adversaries to execute malicious "
"files that could " + "bypass application control and signature validation on "
"systems."
) )
used_msg = ( used_msg = (
"Monkey executed an arbitrary program with the help of a pre-existing signed script " "Monkey executed an arbitrary program with the help of a pre-existing signed script "
"on Windows. " "on Windows. "
+ "This behavior could be abused by adversaries to execute malicious files that could "
+ "bypass application control and signature validation on systems."
) )
pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC] pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]