06ebf05785
Added the "-c" option to adfind commands. ( #2645 )
...
* Added the "-c" option to adfind commands. This will cause it to print a
count of the returned objects instead of the actual objects. This is
very useful for large environments and allows it run quicker without
actually exposing any sensitive information.
* Adding the code to allow specifying optional arguments at runtime instead of hardcoding the -c to allow more flexibility per this request:
https://github.com/redcanaryco/atomic-red-team/pull/2645#pullrequestreview-1795339526
---------
Co-authored-by: dwhite <n/a>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
Co-authored-by: dwhite9 <n@a>
2023-12-27 11:58:02 -06:00
7dfdc97d79
FreeBSD Cleanup ( #2603 )
...
* FreeBSD Cleanup
* cleanup
* fix t1016
* reducing multiline if else to single line
* fix t1037.003
* ignore T1003.007
* fix t1003.007
* more fixes
2023-11-13 16:45:43 -05:00
62a85c12b5
FreeBSD changes ( #2585 )
...
* freebsd changes
* renaming freebsd to linux
2023-11-06 17:41:43 -05:00
16b5287208
Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-11-02 00:56:30 +00:00
2c1db3e4dd
Merge branch 'master' into master
2023-11-01 19:10:13 -04:00
d4709021fb
Handle spaces in file paths ( #2535 )
...
* updating atomics count in README.md [ci skip]
* wip
* handle spaces in path
* update readme
* fix typo
---------
Co-authored-by: publish bot <opensource@redcanary.com >
2023-09-22 10:47:25 -06:00
5dc57a112a
handle spaces in file path ( #2527 )
2023-09-12 15:13:14 -04:00
a8fe2d2d77
mv adfind to bin ( #2465 )
...
* move adfind to external resource
* mv adfind to bin
2023-06-15 16:32:13 -06:00
32a4415e43
move adfind to external resource ( #2464 )
2023-06-15 15:40:50 -06:00
03aca258ad
Fix validate issues
2023-06-09 11:36:41 -05:00
3b8d0af302
Remove auto_generated_guid lines from new entries
...
Some other tiny modifications
2023-06-09 09:11:41 -05:00
86913f3573
Merge branch 'master' of https://github.com/alonsobsd/atomic-red-team
2023-06-01 22:03:39 -05:00
af9378c9f3
update executor ( #2444 )
...
* update executor
* Update T1016.yaml
---------
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com >
2023-05-31 15:16:42 -06:00
f1c5a9be03
Add FreeBSD support
2023-05-08 11:06:08 -05:00
04b6a8fbc3
Adfind prereq fixes ( #2360 )
...
* doesn't exfil data as written
* update prereqs
---------
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com >
2023-03-13 12:56:47 -06:00
a5dd0813cd
fix: Updating atomics YAML file structure to align with the new JSON schema definition ( #2323 )
...
* fix: Updating atomics YAML file structure to align with the new JSON schema definition.
This also fixes some white space issues and general line formatting across all impacted atomics.
* fix: One additional change needed
---------
Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-02-13 16:10:37 -07:00
638ba68ee6
Tccontre patch 1 ( #2200 )
...
* Update T1124.yaml
* Update T1033.yaml
* Update T1033.yaml
* Update T1033.yaml
* Update T1033.yaml
* Update T1033.yaml
* Update T1016.yaml
* Update T1016.yaml
* update test name
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2022-10-24 10:18:40 -06:00
308634b0ec
T1016 ( #2157 )
...
Co-authored-by: Toua Lor <tlor@nti.local >
2022-09-22 16:37:14 -06:00
4a5881e343
Linux prereq updates ( #1673 )
...
* T1070.003-9 update (get_)prereq_commmand
- moved system changes to the get_prereq(s)
- ubuntu `passwd` didn't accept `--stdin`
- updated get_prereqs for both ubuntu/centos
* T1016 - update prereq
* T1018 - update prereq
* T1562.001 - update rsyslog prereq
* T1560.001 updates dep check/install, update default likely to exist
switch to /var/log/wtmp and /var/log/btmp vs ${HOME}/*.txt, since those will
always be present
tests for zip in the prereq
adds deb/rpm install for zip
* T1486 - update getprereqs
* T1135 - update prereqs
* T1046 - update prereqs
* T1040 - update prereqs
2021-11-19 11:42:46 -07:00
c14c0357dc
[OSCD Sprint #2 ] Final Pull Request / Summary ( #1431 )
...
* Updating T1016 to include macos firewall enumeration
* Tests added
* standardize display name
* Add tests for T1134.001 Access Token Impersonation/Theft (#1236 )
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* adding socketfilterfw and cleaning up description formatting, adding description details
* Changing to device manufacturer based test
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Add test for T1006 Direct Volume Access (#1254 )
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* [OSCD] T1036.004: Masquerade Task or Service - 2 tests (#1253 )
* T1036.004 - 2 tests added
* Update T1036.004.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* T1136.002 - 2 tests added (#1252 )
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* [OSCD] Create atomic test for T1113 for Windows (#1251 )
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* update T1564.002
* update T1564.002
* add Gatekeeper disable; add cleanup for security tools disable; add another launchagent for carbon black defense; remove Gatekeeper disable command from Gatekeeper bypass technique
* Added T1562.006 tests to emulate indicator blocking by modifying configuration files
* split linux and macos tests for TT1518.001; update processes list
* Update T1518.001.yaml
* Removed prereq and fixed command endings
* Indirect command execution - conhost (#1265 )
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* [OSCD] Office persiststence : Office test (#1266 )
* Office persiststence : Office test
* Added technique details
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Remove index files to avoid CI complaints.
* Grr
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Update T1518.001.yaml
* [OSCD] Adding T1547.010 (#1264 )
* Port monitor addition
* Rename T1547.010.yml to T1547.010.yaml
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Fixed typos in test names
Co-authored-by: remotephone@gmail.com <remotephone@gmail.com >
Co-authored-by: haresudhan <code@0x6c.dev >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
Co-authored-by: gregclermont <580609+gregclermont@users.noreply.github.com >
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carl <57147304+rc-grey@users.noreply.github.com >
Co-authored-by: mrblacyk <kweinzettl@gmail.com >
Co-authored-by: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com >
Co-authored-by: Yugoslavskiy Daniil <yugoslavskiy@gmail.com >
Co-authored-by: yugoslavskiy <daniil@yugoslavskiy.com >
Co-authored-by: omkargudhate22 <36105402+omkar72@users.noreply.github.com >
Co-authored-by: Keith McCammon <keith@redcanary.com >
Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com >
2021-04-19 11:49:59 -06:00
e9cb3c2f59
Update README.md ( #1302 )
...
* Update README.md
Updating execution frameworks link.
* Generate docs from job=validate_atomics_generate_docs branch=mgraeber-rc-patch-1
* Generate docs from job=validate_atomics_generate_docs branch=mgraeber-rc-patch-1
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Michael Haag <mike@redcanary.com >
2020-11-30 09:18:32 -07:00
d0b51ff08a
T1016 qakbot addition ( #1288 )
...
* Create qakbot.bat
* Update T1016.yaml
Recon commands believed to be associated with Qakbot reconnaissance techniques.
https://hybrid-analysis.com/sample/fcdfd33bebc7a7fe02854ecb60aa17bf0bd85d0b78cc5bc07ceb93a5116639cd/5f63d0b54f389a2d7573a8ce
https://www.virustotal.com/gui/file/fcdfd33bebc7a7fe02854ecb60aa17bf0bd85d0b78cc5bc07ceb93a5116639cd/detection
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-11-17 19:29:55 -07:00
ba178ad2b9
add prereqs for adfind tests ( #1282 )
...
* add prereqs for adfind
* typo fixes and executor change
2020-11-06 09:17:04 -07:00
2ef8ebdcf1
Generate docs from job=validate_atomics_generate_docs branch=master
2020-11-04 15:24:54 +00:00
6a686bea42
Inital Commit for adfind Ryuk tests ( #1275 )
...
Ransomware actors leverage adfind to perform Active Directory recon. These tests cover most of the behaviors observed via public threat intelligence sources
Co-authored-by: Jimmy Astle <jastle@vmware.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-11-04 08:24:13 -07:00
ab26dc3f70
Wrong commands in T1016 ( #1186 )
...
* Update T1016.md
* Update T1016.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-08-07 17:33:16 -06:00
d8c37b4f4d
fix double quotes escaping issue ( #1060 )
2020-06-18 17:51:36 -06:00
24549e3866
Convert to Mitre ATT&CK sub-technique schema ( #1056 )
...
* Initial transfer of atomics to MITRE subtechniques
* Add GUIDs back in, attack_technique to string (#1019 )
* technique to string and add guids back in
* technique to string and add guids back in
* technique to string and add guids back in
* technique to string and add guids back in
* Subtechnique transfer T1220-T1546.005 (#1020 )
* Create T1222.001.yaml
* Create T1222.002.yaml
* Create T1505.002.yaml
* Update T1543.003.yaml
* Update AtomicService.cs
* Update T1546.005.yaml
* Delete T1222.yaml
* Update T1482.yaml
* Update T1485.yaml
* Update T1220.yaml
* Update T1489.yaml
* Update T1490.yaml
* Update T1496.yaml
* Update T1505.003.yaml
* Update T1505.yaml
* Update T1518.001.yaml
* Update T1518.yaml
* Update T1529.yaml
* Update T1543.004.yaml
* Update T1546.001.yaml
* Update T1546.002.yaml
* Update T1546.002.yaml
* Update T1546.001.yaml
* Update T1543.004.yaml
* Update T1543.002.yaml
* Update T1543.001.yaml
* Update T1518.001.yaml
* Update T1546.004.yaml
* Update T1546.003.yaml
* Update T1531.yaml
* Update T1222.001.yaml
* Update T1222.002.yaml
* Update T1505.002.yaml
* Update T1505.003.yaml
* Update T1518.001.yaml
* Update T1543.001.yaml
* Update T1546.005.yaml
* Update T1546.004.yaml
* Update T1546.003.yaml
* Update T1546.002.yaml
* Update T1546.001.yaml
* Update T1543.004.yaml
* Update T1543.003.yaml
* Update T1543.002.yaml
* added auto_generated_guid 1220
* added T1222.001 auto_generated_guid
* Update T1222.002.yaml
added auto_generated_guid entries
* Update T1482.yaml
auto_generated_guid added
* Update T1485.yaml
added auto_generated_guids
* Update T1489.yaml
added auto_generated_guids
* Update T1490.yaml
added auto_generated_guids
* Update T1496.yaml
added auto_generated_guid
* Update T1505.002.yaml
added auto_generated_guid from old T1505 same atomic
* Update T1505.003.yaml
added auto_generated_guid from previous atomic 1100
* Delete T1505.yaml
no longer needed, moved to 1505.002
* Update T1518.yaml
added auto_generated_guids
* Update T1529.yaml
added auto_generated_guids
* Update T1531.yaml
added auto_generated_guids
* Update T1543.001.yaml
added auto_generated_guid
* Update T1543.002.yaml
added auto_generated_guid
* Update T1543.004.yaml
added auto_generated_guid
* Update T1546.001.yaml
added auto_generated_guid
* Update T1546.002.yaml
added auto_generated_guid
* Update T1546.003.yaml
* Update T1546.004.yaml
added auto_generated_guid
* Update T1546.005.yaml
added auto_generated_guid
* add guids back in
* fix spacing issue
* fix spacing
* fix spacing
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
* Sub-techniques T1053-T1113 - Updates (#1022 )
* Sub-techniques T1053-T1113 - Updates
Updated techniques for sub-techniques.
* minor fixes
format fixing
* Added GUIDs
- Added GUIDs back
- Fixed typo (T1054)
- Fixed attack_technique from an array to a string
* Sub-technique updates T1546.008 through T1574.011 (#1024 )
* sub technique updates
* sub technique updates
* sub technique updates
* Carrie updates (#1017 )
* updated T1110,12,13
* updated T1114
* updated T1114
* updated T1115
* updated T1119
* updated T1123,24
* updated T1127
* updated T1114
* updated T1127
* updated T1132
* T1134.004
* T1134.004
* updated T1135
* updated T1136
* updated T1137
* updated T1140
* remove depracted T1153
* updated T1176
* updated T1197
* updated T1201
* updated T1202
* updated T1204
* updated T1207
* updated T1216
* updated T1204
* updated T1217
* updated T1218
* updated T1218
* updated T1219
* updated T1218
* attack_technique to string
* Subtechnique transfer (#1025 )
* T1003 review
* T1005 manual review changes
* T1027.002 sub-technique review
* T1027.004 sub-technique review
* T1036 sub-technique review
* T1037 sub-technique review
* T1048 sub-technique review
* YAML bugfixes
* Adding auto-generated GUIDs back to tests
* merging with Mike's PR
* Merging with Carrie's PR
* fix spacing
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
* Subtechnique fix (#1026 )
* add atomic_tests: element
* add atomic_tests: element
* more fixes
* more fixes
* more fixes
* sub technique minor fixes 1 (#1027 )
* fixes
* fixes
* more fixes
* more fixes
* display name fix (#1028 )
* remove some deprecated stuff. reorganize a little (#1031 )
* Gendocs fix (#1033 )
* gendocs updates for subtechniques
* add folders
* ignore auto generated markdown files
* remove tmp files
* add tmp files
* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer
* navigator layer v3.0
* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer
Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com >
Co-authored-by: Tsora-Pop <35981510+Tsora-Pop@users.noreply.github.com >
Co-authored-by: Michael Haag <mike@redcanary.com >
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-06-17 12:55:46 -06:00
35c42f2c61
Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-15 17:19:25 +00:00
7d63609ea3
Added dependencies and fixed tests for linux and macOS ( #973 )
...
* Added dependencies and fixed tests
* Added description to dependencies.
* Executable presence checked in dependencies
Co-authored-by: hypnoticpattern <>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-05-06 10:22:48 -06:00
e4ce60f9f2
Updated Descriptions ( #897 )
...
* Updated Descriptions
Updated descriptions with what to expect from successful execution.
* Update T1028.yaml
* Update T1028.yaml
* Generate docs from job=validate_atomics_generate_docs branch=description-updates
* move text to description
* Generate docs from job=validate_atomics_generate_docs branch=description-updates
* typo fix
* Generate docs from job=validate_atomics_generate_docs branch=description-updates
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-03-19 21:23:10 -06:00
c6d8809af3
Add prereqs ( #867 )
...
* Added prereqs
* Added prereqs
* Add prereqs
* undeleting file
* corrections
* Corrections
2020-03-10 17:02:52 -06:00
f2074e94b2
T1012 input args and cleanup ( #804 )
...
* T1012 input args and cleanup
* Removed file write functionality
* fixed missing > in command
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-01-27 16:27:27 -07:00
2ee6318e8b
Add Open Port Checker - T1016 ( #794 )
...
* only show cleanup with inputs if there are inputs
* test
* Open Ports added to T1016
* Fix Accidental Change
* Fix type
* Fix underscore naming error
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-01-23 13:26:24 -07:00
128f6054e4
recon trickbot style ( #696 )
2019-11-27 10:07:33 -06:00
0afc5beb6f
T1016 Firewall Rule Enumeration with Netsh ( #682 )
...
* T1016 Firewall Rule Enumeration with Netsh
* Generate docs from job=validate_atomics_generate_docs branch=t1016-firewall-enum
2019-11-20 15:38:52 -07:00
1bfefdacfc
Add elevated ( #542 )
...
* provide elevation_required attribute
* provide elevation_required attribute
* provide elevation_required attribute
2019-09-03 07:34:42 -06:00
a1b27e0b8b
Rest of Mac converted to Yaml
...
🏠 🔛 🔥
🚒
🔥
🎆
2018-05-25 13:35:29 -04:00
4f99cfe8b2
T1016 - yam
2018-05-25 07:38:42 -04:00
dwhite9