security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,508 Commits 47 Branches 0 Tags
AutoSUID_linux
Commit Graph

46 Commits

Author SHA1 Message Date
CircleCI Atomic Red Team doc generator 4b1bc4557e Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-11-19 18:43:15 +00:00
glallen 4a5881e343 Linux prereq updates (#1673) 
* T1070.003-9 update (get_)prereq_commmand

- moved system changes to the get_prereq(s)
- ubuntu `passwd` didn't accept `--stdin`
- updated get_prereqs for both ubuntu/centos

* T1016 - update prereq

* T1018 - update prereq

* T1562.001 - update rsyslog prereq

* T1560.001 updates dep check/install, update default likely to exist

switch to /var/log/wtmp and /var/log/btmp vs ${HOME}/*.txt, since those will
always be present

tests for zip in the prereq

adds deb/rpm install for zip

* T1486 - update getprereqs

* T1135 - update prereqs

* T1046 - update prereqs

* T1040 - update prereqs
 2021-11-19 11:42:46 -07:00
CircleCI Atomic Red Team doc generator 36d49de4c8 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 17:04:33 +00:00
CircleCI Atomic Red Team doc generator 575b36a8e6 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 15:16:54 +00:00
Anton Kutepov c14c0357dc [OSCD Sprint #2] Final Pull Request / Summary (#1431) 
* Updating T1016 to include macos firewall enumeration

* Tests added

* standardize display name

* Add tests for T1134.001 Access Token Impersonation/Theft (#1236)

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* adding socketfilterfw and cleaning up description formatting, adding description details

* Changing to device manufacturer based test

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* Add test for T1006 Direct Volume Access (#1254)

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* [OSCD] T1036.004: Masquerade Task or Service - 2 tests (#1253)

* T1036.004 - 2 tests added

* Update T1036.004.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* T1136.002 - 2 tests added (#1252)

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* [OSCD] Create atomic test for T1113 for Windows (#1251)

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* update T1564.002

* update T1564.002

* add Gatekeeper disable; add cleanup for security tools disable; add another launchagent for carbon black defense; remove Gatekeeper disable command from Gatekeeper bypass technique

* Added T1562.006 tests to emulate indicator blocking by modifying configuration files

* split linux and macos tests for TT1518.001; update processes list

* Update T1518.001.yaml

* Removed prereq and fixed command endings

* Indirect command execution - conhost (#1265)

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* [OSCD] Office persiststence :  Office test (#1266)

* Office persiststence :  Office test

* Added technique details

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* Remove index files to avoid CI complaints.

* Grr

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* Update T1518.001.yaml

* [OSCD] Adding T1547.010 (#1264)

* Port monitor addition

* Rename T1547.010.yml to T1547.010.yaml

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* Generate docs from job=validate_atomics_generate_docs branch=oscd

* Fixed typos in test names

Co-authored-by: remotephone@gmail.com <remotephone@gmail.com>
Co-authored-by: haresudhan <code@0x6c.dev>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: gregclermont <580609+gregclermont@users.noreply.github.com>
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carl <57147304+rc-grey@users.noreply.github.com>
Co-authored-by: mrblacyk <kweinzettl@gmail.com>
Co-authored-by: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com>
Co-authored-by: Yugoslavskiy Daniil <yugoslavskiy@gmail.com>
Co-authored-by: yugoslavskiy <daniil@yugoslavskiy.com>
Co-authored-by: omkargudhate22 <36105402+omkar72@users.noreply.github.com>
Co-authored-by: Keith McCammon <keith@redcanary.com>
Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com>
 2021-04-19 11:49:59 -06:00
Brian Thacker 7e974e12f2 Update qakbot.bat (#1393) 
Updated qakbot recon command list as reported by DFIR Reports: https://twitter.com/TheDFIRReport/status/1361331598344478727

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-18 08:52:00 -07:00
Matt Graeber e9cb3c2f59 Update README.md (#1302) 
* Update README.md

Updating execution frameworks link.

* Generate docs from job=validate_atomics_generate_docs branch=mgraeber-rc-patch-1

* Generate docs from job=validate_atomics_generate_docs branch=mgraeber-rc-patch-1

Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Michael Haag <mike@redcanary.com>
 2020-11-30 09:18:32 -07:00
Brian Thacker d0b51ff08a T1016 qakbot addition (#1288) 
* Create qakbot.bat

* Update T1016.yaml

Recon commands believed to be associated with Qakbot reconnaissance techniques.
https://hybrid-analysis.com/sample/fcdfd33bebc7a7fe02854ecb60aa17bf0bd85d0b78cc5bc07ceb93a5116639cd/5f63d0b54f389a2d7573a8ce
https://www.virustotal.com/gui/file/fcdfd33bebc7a7fe02854ecb60aa17bf0bd85d0b78cc5bc07ceb93a5116639cd/detection

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-11-17 19:29:55 -07:00
CircleCI Atomic Red Team doc generator 0ff4aada24 Generate docs from job=validate_atomics_generate_docs branch=ATHPowerShellCommandLineParamter 2020-11-09 16:41:52 +00:00
Carrie Roberts ba178ad2b9 add prereqs for adfind tests (#1282) 
* add prereqs for adfind

* typo fixes and executor change
 2020-11-06 09:17:04 -07:00
CircleCI Atomic Red Team doc generator 2ef8ebdcf1 Generate docs from job=validate_atomics_generate_docs branch=master 2020-11-04 15:24:54 +00:00
JimmyAstle 6a686bea42 Inital Commit for adfind Ryuk tests (#1275) 
Ransomware actors leverage adfind to perform Active Directory recon. These tests cover most of the behaviors observed via public threat intelligence sources

Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-11-04 08:24:13 -07:00
CircleCI Atomic Red Team doc generator 910a2a764a Generate docs from job=validate_atomics_generate_docs branch=master 2020-09-29 13:53:28 +00:00
Victuos ab26dc3f70 Wrong commands in T1016 (#1186) 
* Update T1016.md

* Update T1016.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-08-07 17:33:16 -06:00
CircleCI Atomic Red Team doc generator 67dad9ece3 Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 23:52:23 +00:00
JrOrOneEquals1 d8c37b4f4d fix double quotes escaping issue (#1060) 2020-06-18 17:51:36 -06:00
CircleCI Atomic Red Team doc generator 8a82e9b66a Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00
Carrie Roberts 24549e3866 Convert to Mitre ATT&CK sub-technique schema (#1056) 
* Initial transfer of atomics to MITRE subtechniques

* Add GUIDs back in, attack_technique to string (#1019)

* technique to string and add guids back in

* technique to string and add guids back in

* technique to string and add guids back in

* technique to string and add guids back in

* Subtechnique transfer T1220-T1546.005 (#1020)

* Create T1222.001.yaml

* Create T1222.002.yaml

* Create T1505.002.yaml

* Update T1543.003.yaml

* Update AtomicService.cs

* Update T1546.005.yaml

* Delete T1222.yaml

* Update T1482.yaml

* Update T1485.yaml

* Update T1220.yaml

* Update T1489.yaml

* Update T1490.yaml

* Update T1496.yaml

* Update T1505.003.yaml

* Update T1505.yaml

* Update T1518.001.yaml

* Update T1518.yaml

* Update T1529.yaml

* Update T1543.004.yaml

* Update T1546.001.yaml

* Update T1546.002.yaml

* Update T1546.002.yaml

* Update T1546.001.yaml

* Update T1543.004.yaml

* Update T1543.002.yaml

* Update T1543.001.yaml

* Update T1518.001.yaml

* Update T1546.004.yaml

* Update T1546.003.yaml

* Update T1531.yaml

* Update T1222.001.yaml

* Update T1222.002.yaml

* Update T1505.002.yaml

* Update T1505.003.yaml

* Update T1518.001.yaml

* Update T1543.001.yaml

* Update T1546.005.yaml

* Update T1546.004.yaml

* Update T1546.003.yaml

* Update T1546.002.yaml

* Update T1546.001.yaml

* Update T1543.004.yaml

* Update T1543.003.yaml

* Update T1543.002.yaml

* added auto_generated_guid 1220

* added T1222.001 auto_generated_guid

* Update T1222.002.yaml

added   auto_generated_guid entries

* Update T1482.yaml

  auto_generated_guid added

* Update T1485.yaml

added   auto_generated_guids

* Update T1489.yaml

added   auto_generated_guids

* Update T1490.yaml

added   auto_generated_guids

* Update T1496.yaml

added   auto_generated_guid

* Update T1505.002.yaml

added   auto_generated_guid from old T1505 same atomic

* Update T1505.003.yaml

added  auto_generated_guid from previous atomic 1100

* Delete T1505.yaml

no longer needed, moved to 1505.002

* Update T1518.yaml

added  auto_generated_guids

* Update T1529.yaml

added   auto_generated_guids

* Update T1531.yaml

added   auto_generated_guids

* Update T1543.001.yaml

added   auto_generated_guid

* Update T1543.002.yaml

added   auto_generated_guid

* Update T1543.004.yaml

added   auto_generated_guid

* Update T1546.001.yaml

added   auto_generated_guid

* Update T1546.002.yaml

added   auto_generated_guid

* Update T1546.003.yaml

* Update T1546.004.yaml

added  auto_generated_guid

* Update T1546.005.yaml

added  auto_generated_guid

* add guids back in

* fix spacing issue

* fix spacing

* fix spacing

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

* Sub-techniques T1053-T1113 - Updates (#1022)

* Sub-techniques T1053-T1113 - Updates

Updated techniques for sub-techniques.

* minor fixes

format fixing

* Added GUIDs

- Added GUIDs back
- Fixed typo (T1054)
- Fixed attack_technique from an array to a string

* Sub-technique updates T1546.008 through T1574.011 (#1024)

* sub technique updates

* sub technique updates

* sub technique updates

* Carrie updates (#1017)

* updated T1110,12,13

* updated T1114

* updated T1114

* updated T1115

* updated T1119

* updated T1123,24

* updated T1127

* updated T1114

* updated T1127

* updated T1132

* T1134.004

* T1134.004

* updated T1135

* updated T1136

* updated T1137

* updated T1140

* remove depracted T1153

* updated T1176

* updated T1197

* updated T1201

* updated T1202

* updated T1204

* updated T1207

* updated T1216

* updated T1204

* updated T1217

* updated T1218

* updated T1218

* updated T1219

* updated T1218

* attack_technique to string

* Subtechnique transfer (#1025)

* T1003 review

* T1005 manual review changes

* T1027.002 sub-technique review

* T1027.004 sub-technique review

* T1036 sub-technique review

* T1037 sub-technique review

* T1048 sub-technique review

* YAML bugfixes

* Adding auto-generated GUIDs back to tests

* merging with Mike's PR

* Merging with Carrie's PR

* fix spacing

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

* Subtechnique fix (#1026)

* add atomic_tests: element

* add atomic_tests: element

* more fixes

* more fixes

* more fixes

* sub technique minor fixes 1 (#1027)

* fixes

* fixes

* more fixes

* more fixes

* display name fix (#1028)

* remove some deprecated stuff. reorganize a little (#1031)

* Gendocs fix (#1033)

* gendocs updates for subtechniques

* add folders

* ignore auto generated markdown files

* remove tmp files

* add tmp files

* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer

* navigator layer v3.0

* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer

Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com>
Co-authored-by: Tsora-Pop <35981510+Tsora-Pop@users.noreply.github.com>
Co-authored-by: Michael Haag <mike@redcanary.com>
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
 2020-06-17 12:55:46 -06:00
CircleCI Atomic Red Team doc generator 35c42f2c61 Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-15 17:19:25 +00:00
CircleCI Atomic Red Team doc generator da779f042d Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-06 16:23:43 +00:00
hypnoticpattern 7d63609ea3 Added dependencies and fixed tests for linux and macOS (#973) 
* Added dependencies and fixed tests

* Added description to dependencies.

* Executable presence checked in dependencies

Co-authored-by: hypnoticpattern <>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-05-06 10:22:48 -06:00
Michael Haag e4ce60f9f2 Updated Descriptions (#897) 
* Updated Descriptions

Updated descriptions with what to expect from successful execution.

* Update T1028.yaml

* Update T1028.yaml

* Generate docs from job=validate_atomics_generate_docs branch=description-updates

* move text to description

* Generate docs from job=validate_atomics_generate_docs branch=description-updates

* typo fix

* Generate docs from job=validate_atomics_generate_docs branch=description-updates

Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-03-19 21:23:10 -06:00
Carrie Roberts 71223b2514 backslash fix for markdown (#881) 2020-03-16 08:50:43 -06:00
Carrie Roberts 6ec7d4bcf0 Specify language for markdown code blocks (#882) 
* specify code block type in markdown

* specify code block type in markdown
 2020-03-16 08:46:25 -06:00
CircleCI Atomic Red Team doc generator cdb4000e20 Generate docs from job=validate_atomics_generate_docs branch=master 2020-03-10 23:03:32 +00:00
JrOrOneEquals1 c6d8809af3 Add prereqs (#867) 
* Added prereqs

* Added prereqs

* Add prereqs

* undeleting file

* corrections

* Corrections
 2020-03-10 17:02:52 -06:00
CircleCI Atomic Red Team doc generator 1141a86873 Generate docs from job=validate_atomics_generate_docs branch=master 2020-01-27 23:27:40 +00:00
Andras32 f2074e94b2 T1012 input args and cleanup (#804) 
* T1012 input args and cleanup

* Removed file write functionality

* fixed missing > in command

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-01-27 16:27:27 -07:00
CircleCI Atomic Red Team doc generator 42687f2055 Generate docs from job=validate_atomics_generate_docs branch=master 2020-01-23 20:26:46 +00:00
MrOrOneEquals1 2ee6318e8b Add Open Port Checker - T1016 (#794) 
* only show cleanup with inputs if there are inputs

* test

* Open Ports added to T1016

* Fix Accidental Change

* Fix type

* Fix underscore naming error

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-01-23 13:26:24 -07:00
Tony M Lambert a4c9ee4430 Replay the Dependencies Merge (#786) 
* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* lowercase url

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* lowercase url

* fixing yaml spacing issue

* correcting input name

* rm to del

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-01-21 12:11:45 -06:00
Tony M Lambert c3b398e48c Revert "Add Dependencies section to test Yaml and support to use them… (#773) 
* Revert "Add Dependencies section to test Yaml and support to use them in the PS execution framework (#772)"

This reverts commit 511bb87af2.

* Generate docs from job=validate_atomics_generate_docs branch=revert-511bb87af29fb302dbd9e85bd93c2c00a47953ba
 2020-01-09 09:12:38 -06:00
Carrie Roberts 511bb87af2 Add Dependencies section to test Yaml and support to use them in the PS execution framework (#772) 
* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* lowercase url
 2020-01-09 07:36:07 -07:00
CircleCI Atomic Red Team doc generator 0b96ad46c7 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-27 16:07:50 +00:00
Carrie Roberts 128f6054e4 recon trickbot style (#696) 2019-11-27 10:07:33 -06:00
Tony M Lambert 0afc5beb6f T1016 Firewall Rule Enumeration with Netsh (#682) 
* T1016 Firewall Rule Enumeration with Netsh

* Generate docs from job=validate_atomics_generate_docs branch=t1016-firewall-enum
 2019-11-20 15:38:52 -07:00
CircleCI Atomic Red Team doc generator 91e86258e6 Generate docs from job=validate_atomics_generate_docs branch=master 2019-10-24 17:09:43 +00:00
CircleCI Atomic Red Team doc generator 499c751bcc Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-03 13:36:10 +00:00
Carrie Roberts 1bfefdacfc Add elevated (#542) 
* provide elevation_required attribute

* provide elevation_required attribute

* provide elevation_required attribute
 2019-09-03 07:34:42 -06:00
CircleCI Atomic Red Team doc generator 440e85a9c8 Generate docs from job=validate_atomics_generate_docs branch=master 2019-08-30 15:42:59 +00:00
CircleCI Atomic Red Team doc generator 75c332ac52 Generate docs from job=validate_atomics_generate_docs branch=master 2019-08-29 22:18:28 +00:00
CircleCI Atomic Red Team doc generator 6965fc15ef Generate docs from job=validate_atomics_generate_docs branch=master 2018-11-14 20:59:18 +00:00
CircleCI Atomic Red Team doc generator a8509e66cd Generate docs from job=validate_atomics_generate_docs branch=more-mac-yaml 2018-05-25 17:35:42 +00:00
Michael Haag a1b27e0b8b Rest of Mac converted to Yaml 
🏠 🔛 🔥
🚒
🔥
🎆
 2018-05-25 13:35:29 -04:00
CircleCI Atomic Red Team doc generator 72a58f17fa Generate docs from job=validate_atomics_generate_docs branch=T1016 2018-05-25 11:39:15 +00:00
System Administrator 4f99cfe8b2 T1016 - yam 2018-05-25 07:38:42 -04:00