* Adding T1086 Alternate Data Stream atomic
* Added newline T1086
* Syncing changes with updstream and origin.
* Added Cleanup to Logon Scripts Atomic T1037
* Added timout to allow time for detection logic to register change.
* Fixed issue with upstream sync, Re-added timout to allow time for detection logic.
* Fixed cleanup command. Yaml tag not working to allow it to run.
* Update T1158 test 11.
Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.
* Update T1037.yaml
Moved Reg delete command under the cleanup_command tag for consistency.
* Update T1037.yaml
Moved reg removal command under cleanup_command tag for consistency.
* Update T1086.yaml
Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.
Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.
* Adding T1086 Alternate Data Stream atomic
* Added newline T1086
* Syncing changes with updstream and origin.
* Added Cleanup to Logon Scripts Atomic T1037
* Added timout to allow time for detection logic to register change.
* Fixed issue with upstream sync, Re-added timout to allow time for detection logic.
* Fixed cleanup command. Yaml tag not working to allow it to run.
* Update T1158 test 11.
Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.
* Update T1037.yaml
Moved Reg delete command under the cleanup_command tag for consistency.
* Update T1037.yaml
Moved reg removal command under cleanup_command tag for consistency.
* Adding T1086 Alternate Data Stream atomic
* Added newline T1086
* Syncing changes with updstream and origin.
* Added Cleanup to Logon Scripts Atomic T1037
* Added timout to allow time for detection logic to register change.
* Fixed issue with upstream sync, Re-added timout to allow time for detection logic.
* Fixed cleanup command. Yaml tag not working to allow it to run.
* Update T1158 test 11.
Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.
Added test 6: Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. I also formatted the name of this atomic and numbers 1 and 2 to match the others e.g. ("Remote System Discovery - [tool]")
Added a new test that attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. As well I updated the names of the tests here while keeping them simple; they were duplicated and not descriptive enough.
Details: After further thought & discussion; suggesting a more precise name for atomic 4 (originally pulled here by me). Changing to "Modify registry to store logon credentials," and removing the former word "downgrade." The registry modification in this test does not actually enable a "downgrade," rather it allows the storage of auto-login credentials overall; they are resultingly stored as text, but that is not a downgrade
Testing: no testing required (only name change)
Associated Issues: none
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key.
* Added 'Elevated group enumeration using net group' + minor fix
added a new atomic ( 4), and updated attack 2 name to more clearly reflect what it is doing versus the newly added atomic (which has commands more specific to high value, elevated groups, and as well simple obfuscation)
* minor syntax fix; description clarification
* further minor clarifications to description and title
CircleCI Atomic Red Team doc generator