security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,538 Commits 47 Branches 0 Tags
pre-commit
Commit Graph

61 Commits

Author SHA1 Message Date
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip] 2025-02-13 22:03:40 +00:00
Atomic Red Team doc generator f64434da24 Generated docs from job=generate-docs branch=master [ci skip] 2024-04-27 17:50:49 +00:00
Atomic Red Team doc generator 157de65031 Generated docs from job=generate-docs branch=master [ci skip] 2023-11-07 00:28:51 +00:00
Atomic Red Team doc generator 008fc61040 Generated docs from job=generate-docs branch=master [ci skip] 2023-10-07 19:07:22 +00:00
Carrie Roberts 72585c9dd7 fix typo (#2556) 2023-10-07 15:05:53 -04:00
Atomic Red Team doc generator d146373e1f Generated docs from job=generate-docs branch=master [ci skip] 2023-09-25 20:24:07 +00:00
Antonio Piazza 7c61ce15f0 Update T1036.yaml (#2542) 
Added ExternalPayloads directory creation via powershell command for procedure 4449c89b-ec82-43a4-89c1-91e2f1abeecc
 2023-09-25 14:22:53 -06:00
Atomic Red Team doc generator 81692e20cd Generated docs from job=generate-docs branch=master [ci skip] 2023-09-23 03:44:15 +00:00
Carrie Roberts fc3bfecda2 use ExternalPayloads folder (#2538) 2023-09-22 23:43:06 -04:00
Atomic Red Team doc generator 16594d72c5 Generated docs from job=generate-docs branch=master [ci skip] 2023-02-13 23:11:19 +00:00
Josh Rickard a5dd0813cd fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323) 
* fix: Updating atomics YAML file structure to align with the new JSON schema definition.

This also fixes some white space issues and general line formatting across all impacted atomics.

* fix: One additional change needed

---------

Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2023-02-13 16:10:37 -07:00
CircleCI Atomic Red Team doc generator da4d80c694 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2022-04-11 15:22:21 +00:00
Leo Verlod f13ec2fb08 Rewriting T1036 Test 1 in Powershell (#1859) 2022-04-11 09:21:40 -06:00
CircleCI Atomic Red Team doc generator 742483f51c Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2022-02-07 15:05:14 +00:00
CircleCI Atomic Red Team GUID generator 8443011f02 Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2022-02-07 15:05:09 +00:00
lucasRiley e029a0734d T1036 (#1763) 
* T1036

* Update T1036.yaml

* updated description

* correct outfile param

* Add -force to avoid error msg

* update zip url

Co-authored-by: Riley <lriley@NTI.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-02-07 08:04:43 -07:00
CircleCI Atomic Red Team doc generator 36d49de4c8 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 17:04:33 +00:00
CircleCI Atomic Red Team doc generator 575b36a8e6 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 15:16:54 +00:00
CircleCI Atomic Red Team doc generator c95a59500a Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-04-16 05:23:21 +00:00
CircleCI Atomic Red Team GUID generator 330e495c51 Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-04-16 05:23:16 +00:00
zedutchmann f8e0e5b85f T1036 (#1428) 
* Create tempt.txt

* Add new T1036 test

* Delete tempt.txt
 2021-04-15 23:22:56 -06:00
Carrie Roberts 24549e3866 Convert to Mitre ATT&CK sub-technique schema (#1056) 
* Initial transfer of atomics to MITRE subtechniques

* Add GUIDs back in, attack_technique to string (#1019)

* technique to string and add guids back in

* technique to string and add guids back in

* technique to string and add guids back in

* technique to string and add guids back in

* Subtechnique transfer T1220-T1546.005 (#1020)

* Create T1222.001.yaml

* Create T1222.002.yaml

* Create T1505.002.yaml

* Update T1543.003.yaml

* Update AtomicService.cs

* Update T1546.005.yaml

* Delete T1222.yaml

* Update T1482.yaml

* Update T1485.yaml

* Update T1220.yaml

* Update T1489.yaml

* Update T1490.yaml

* Update T1496.yaml

* Update T1505.003.yaml

* Update T1505.yaml

* Update T1518.001.yaml

* Update T1518.yaml

* Update T1529.yaml

* Update T1543.004.yaml

* Update T1546.001.yaml

* Update T1546.002.yaml

* Update T1546.002.yaml

* Update T1546.001.yaml

* Update T1543.004.yaml

* Update T1543.002.yaml

* Update T1543.001.yaml

* Update T1518.001.yaml

* Update T1546.004.yaml

* Update T1546.003.yaml

* Update T1531.yaml

* Update T1222.001.yaml

* Update T1222.002.yaml

* Update T1505.002.yaml

* Update T1505.003.yaml

* Update T1518.001.yaml

* Update T1543.001.yaml

* Update T1546.005.yaml

* Update T1546.004.yaml

* Update T1546.003.yaml

* Update T1546.002.yaml

* Update T1546.001.yaml

* Update T1543.004.yaml

* Update T1543.003.yaml

* Update T1543.002.yaml

* added auto_generated_guid 1220

* added T1222.001 auto_generated_guid

* Update T1222.002.yaml

added   auto_generated_guid entries

* Update T1482.yaml

  auto_generated_guid added

* Update T1485.yaml

added   auto_generated_guids

* Update T1489.yaml

added   auto_generated_guids

* Update T1490.yaml

added   auto_generated_guids

* Update T1496.yaml

added   auto_generated_guid

* Update T1505.002.yaml

added   auto_generated_guid from old T1505 same atomic

* Update T1505.003.yaml

added  auto_generated_guid from previous atomic 1100

* Delete T1505.yaml

no longer needed, moved to 1505.002

* Update T1518.yaml

added  auto_generated_guids

* Update T1529.yaml

added   auto_generated_guids

* Update T1531.yaml

added   auto_generated_guids

* Update T1543.001.yaml

added   auto_generated_guid

* Update T1543.002.yaml

added   auto_generated_guid

* Update T1543.004.yaml

added   auto_generated_guid

* Update T1546.001.yaml

added   auto_generated_guid

* Update T1546.002.yaml

added   auto_generated_guid

* Update T1546.003.yaml

* Update T1546.004.yaml

added  auto_generated_guid

* Update T1546.005.yaml

added  auto_generated_guid

* add guids back in

* fix spacing issue

* fix spacing

* fix spacing

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

* Sub-techniques T1053-T1113 - Updates (#1022)

* Sub-techniques T1053-T1113 - Updates

Updated techniques for sub-techniques.

* minor fixes

format fixing

* Added GUIDs

- Added GUIDs back
- Fixed typo (T1054)
- Fixed attack_technique from an array to a string

* Sub-technique updates T1546.008 through T1574.011 (#1024)

* sub technique updates

* sub technique updates

* sub technique updates

* Carrie updates (#1017)

* updated T1110,12,13

* updated T1114

* updated T1114

* updated T1115

* updated T1119

* updated T1123,24

* updated T1127

* updated T1114

* updated T1127

* updated T1132

* T1134.004

* T1134.004

* updated T1135

* updated T1136

* updated T1137

* updated T1140

* remove depracted T1153

* updated T1176

* updated T1197

* updated T1201

* updated T1202

* updated T1204

* updated T1207

* updated T1216

* updated T1204

* updated T1217

* updated T1218

* updated T1218

* updated T1219

* updated T1218

* attack_technique to string

* Subtechnique transfer (#1025)

* T1003 review

* T1005 manual review changes

* T1027.002 sub-technique review

* T1027.004 sub-technique review

* T1036 sub-technique review

* T1037 sub-technique review

* T1048 sub-technique review

* YAML bugfixes

* Adding auto-generated GUIDs back to tests

* merging with Mike's PR

* Merging with Carrie's PR

* fix spacing

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

* Subtechnique fix (#1026)

* add atomic_tests: element

* add atomic_tests: element

* more fixes

* more fixes

* more fixes

* sub technique minor fixes 1 (#1027)

* fixes

* fixes

* more fixes

* more fixes

* display name fix (#1028)

* remove some deprecated stuff. reorganize a little (#1031)

* Gendocs fix (#1033)

* gendocs updates for subtechniques

* add folders

* ignore auto generated markdown files

* remove tmp files

* add tmp files

* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer

* navigator layer v3.0

* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer

Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com>
Co-authored-by: Tsora-Pop <35981510+Tsora-Pop@users.noreply.github.com>
Co-authored-by: Michael Haag <mike@redcanary.com>
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
 2020-06-17 12:55:46 -06:00
CircleCI Atomic Red Team doc generator 51ce388932 Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-20 13:44:04 +00:00
Andrew Beers 1b2bf832c3 T1036 file extension masquerading fix (#999) 
* change executer to help with writing detection

* putting guid back in

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-05-20 07:43:35 -06:00
CircleCI Atomic Red Team doc generator 455840f3bb Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-15 20:18:24 +00:00
Andrew Beers 672bd86fff T1036 file extension masquerading (#997) 
* write test

* add files and test cases

* improve naming for exe files
 2020-05-15 14:18:08 -06:00
CircleCI Atomic Red Team doc generator 35c42f2c61 Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-15 17:19:25 +00:00
Michael Haag e4ce60f9f2 Updated Descriptions (#897) 
* Updated Descriptions

Updated descriptions with what to expect from successful execution.

* Update T1028.yaml

* Update T1028.yaml

* Generate docs from job=validate_atomics_generate_docs branch=description-updates

* move text to description

* Generate docs from job=validate_atomics_generate_docs branch=description-updates

* typo fix

* Generate docs from job=validate_atomics_generate_docs branch=description-updates

Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-03-19 21:23:10 -06:00
CircleCI Atomic Red Team doc generator 8a99c40601 Generate docs from job=validate_atomics_generate_docs branch=master 2020-03-19 19:17:26 +00:00
Andrew Beers 1f74427802 Add completion description and fixes 2nd batch (#894) 
* Add completion description and fixed

* fix spelling

* wording update

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-03-19 13:17:08 -06:00
san-gwea e9d17b1839 delete the file , case sensitive EXE (#886) 2020-03-17 10:15:54 -06:00
Carrie Roberts 71223b2514 backslash fix for markdown (#881) 2020-03-16 08:50:43 -06:00
Carrie Roberts 6ec7d4bcf0 Specify language for markdown code blocks (#882) 
* specify code block type in markdown

* specify code block type in markdown
 2020-03-16 08:46:25 -06:00
CircleCI Atomic Red Team doc generator 2f778f359e Generate docs from job=validate_atomics_generate_docs branch=master 2020-03-10 23:06:25 +00:00
JrOrOneEquals1 3fa4dd1c9e Fixed cleanup commands (#869) 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-03-10 17:06:14 -06:00
CircleCI Atomic Red Team doc generator cdb4000e20 Generate docs from job=validate_atomics_generate_docs branch=master 2020-03-10 23:03:32 +00:00
JrOrOneEquals1 c6d8809af3 Add prereqs (#867) 
* Added prereqs

* Added prereqs

* Add prereqs

* undeleting file

* corrections

* Corrections
 2020-03-10 17:02:52 -06:00
CircleCI Atomic Red Team doc generator ff94993abb Generate docs from job=validate_atomics_generate_docs branch=master 2020-02-10 18:30:02 +00:00
tlor89 4c35cdb5ff T1027 t1053 cleanup errors (#828) 
* fixed

* T1027-T1053_CleanupErrors

* T1027-T1053_CleanupErrors(2)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-02-10 11:29:45 -07:00
Tony M Lambert a4c9ee4430 Replay the Dependencies Merge (#786) 
* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* lowercase url

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* lowercase url

* fixing yaml spacing issue

* correcting input name

* rm to del

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-01-21 12:11:45 -06:00
Tony M Lambert c3b398e48c Revert "Add Dependencies section to test Yaml and support to use them… (#773) 
* Revert "Add Dependencies section to test Yaml and support to use them in the PS execution framework (#772)"

This reverts commit 511bb87af2.

* Generate docs from job=validate_atomics_generate_docs branch=revert-511bb87af29fb302dbd9e85bd93c2c00a47953ba
 2020-01-09 09:12:38 -06:00
Carrie Roberts 511bb87af2 Add Dependencies section to test Yaml and support to use them in the PS execution framework (#772) 
* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* first draft at dependencies

* lowercase url
 2020-01-09 07:36:07 -07:00
CircleCI Atomic Red Team doc generator 406b4a1f77 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-13 00:52:25 +00:00
Brian Thacker 3fdc8ee7de Cleanup test 6, 7 (#648) 
Changing default value from env:SystemRoot to env:Temp. By default, user can write to systemroot temp directory but cannot execute the cleanup commands. Correcting typo scvhost to svchost.
 2019-11-12 17:51:57 -07:00
CircleCI Atomic Red Team doc generator 0a1f37aa54 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-12 07:26:51 +00:00
Andrew Beers da90ca6563 T1036 malicious process masquerade as lsm (#637) 
* create test, fix lined endings

* fix elevation requried

* fix file path

* fix formatting for circleci test

* misspelling
 2019-11-12 00:26:37 -07:00
CircleCI Atomic Red Team doc generator eb9f0fbcd6 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-09 02:14:44 +00:00
Brian Thacker 940b93af67 Added two more generic tests to T1036: test 6 and test 7. Test 6 meant to masquerade non-windows exes as real windows exes. Test 7 meant to masquerade windows exes as other windows exes. Added cleanup and input arguments logic to test 6 and 7. Added a generic executable for testing masquerading a non-windows exe as a windows exe. Added source files used for creating the executable in the T1036\bin folder. (#617) 2019-11-08 19:14:13 -07:00
CircleCI Atomic Red Team doc generator 457e6acf51 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:07:44 +00:00
dwhite9 0f77fd91fb Update T1036.yaml (#609) 
* Adding T1086 Alternate Data Stream atomic

* Added newline T1086

* Syncing changes with updstream and origin.

* Added Cleanup to Logon Scripts Atomic T1037

* Added timout to allow time for detection logic to register change.

* Fixed issue with upstream sync,  Re-added timout to allow time for detection logic.

* Fixed cleanup command. Yaml tag not working to allow it to run.

* Update T1158 test 11. 

Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.

* Update T1037.yaml

Moved Reg delete command under the cleanup_command tag for consistency.

* Update T1037.yaml

Moved reg removal command under cleanup_command tag for consistency.

* Update T1086.yaml

Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.

Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.

* Update T1036.yaml

Added Cleanup commands for the windows tests
 2019-11-05 12:07:15 -07:00