7dfdc97d79
FreeBSD Cleanup ( #2603 )
...
* FreeBSD Cleanup
* cleanup
* fix t1016
* reducing multiline if else to single line
* fix t1037.003
* ignore T1003.007
* fix t1003.007
* more fixes
2023-11-13 16:45:43 -05:00
62a85c12b5
FreeBSD changes ( #2585 )
...
* freebsd changes
* renaming freebsd to linux
2023-11-06 17:41:43 -05:00
16b5287208
Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-11-02 00:56:30 +00:00
2c1db3e4dd
Merge branch 'master' into master
2023-11-01 19:10:13 -04:00
c95ca8a5af
Improve the getprereqs command
2023-10-27 11:45:01 +08:00
62f83972c5
use external payloads directory ( #2554 )
...
Co-authored-by: Hare Sudhan <code@0x6c.dev >
2023-10-07 15:25:51 -04:00
d667fffea2
correct url ( #2552 )
...
* correct url
* Update T1027.yaml
2023-10-03 11:38:37 -06:00
f68822b349
Added ExternalPayloads directory ( #2545 )
...
* Added ExternalPayloads dir creation
* Created ExternaPayloads Dir
Created ExternaPayloads Directory using powershell command
* Added External Payloads Dir
Added External Payloads Directory using a powershell command for all Procedures.
* Fixed ExternalPayload directory creation
Fixed ExternalPayload directory creation. Got rid of the Split path
* Created External Payloads directory
Created External Payloads directory for procedure 14d55ca0-920e-4b44-8425-37eedd72b173
* Update T1003.002.yaml
Added ExternalPayloads directory creation PowerShell command for procedure 804f28fc-68fc-40da-b5a2-e9d0bce5c193
* Update T1110.004.yaml
Added Powershell Command to creat ExternalPayloads dir for the second prereq for procedure 4852c630-87a9-409b-bb5e-5dc12c9ebcde.
* Update T1110.001.yaml
Added ExrernalPayload directory creation PowerShell command for procedure 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
prereq 2
* Added ExternalPayloads Dir
Added Powershell command to create new ExternalPayloads dir for procedure fad04df1-5229-4185-b016-fb6010cd87ac
* Add ExternalPayloads Dir
Added PowerShell Command to create new ExternalPayloads directory for procedure c6f25ec3-6475-47a9-b75d-09ac593c5ecb
* Added prereq download directories
Added powershell command to create prereq download directories for procedure 6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-09-29 08:40:27 -06:00
d4709021fb
Handle spaces in file paths ( #2535 )
...
* updating atomics count in README.md [ci skip]
* wip
* handle spaces in path
* update readme
* fix typo
---------
Co-authored-by: publish bot <opensource@redcanary.com >
2023-09-22 10:47:25 -06:00
068d32b1ea
use ExternalPayloads directory ( #2460 )
...
* use ExternalPayloads directory
* use ExternalPayloads directory
* use ExternalPayloads directory
2023-06-15 10:16:12 -06:00
3b8d0af302
Remove auto_generated_guid lines from new entries
...
Some other tiny modifications
2023-06-09 09:11:41 -05:00
86913f3573
Merge branch 'master' of https://github.com/alonsobsd/atomic-red-team
2023-06-01 22:03:39 -05:00
d7191cd8b1
Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-05-31 20:57:30 +00:00
f19429af8c
New test under T1027: Executing zipped JavaScript using WScript ( #2447 )
...
* Update T1027.yaml
This test is intended to closely emulate Gootloader's patterns of execution - launching a js file through wscript after being unpacked from a .zip.
* leave prereq files in place
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-05-31 15:56:36 -05:00
65294196d0
Spelling adjustments ( #2448 )
...
Looking over the YAMLs mostly, only changes for readability or accuracy
2023-05-31 15:50:22 -05:00
2a51677203
Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-05-11 20:40:32 +00:00
1ebcb346f6
Snake Malware Atomic Tests
2023-05-11 12:40:31 -06:00
f1c5a9be03
Add FreeBSD support
2023-05-08 11:06:08 -05:00
a5dd0813cd
fix: Updating atomics YAML file structure to align with the new JSON schema definition ( #2323 )
...
* fix: Updating atomics YAML file structure to align with the new JSON schema definition.
This also fixes some white space issues and general line formatting across all impacted atomics.
* fix: One additional change needed
---------
Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-02-13 16:10:37 -07:00
1497723728
Updated T1027 i0 with cleanup and non-builtin command
...
We were having a hard time detecting this one because echo is a built-in command. In addition, this test has no cleanup. Added both cleanup and a bash/sh command
2022-06-23 14:10:17 -05:00
2ad7e31f5b
Update T1027.yaml ( #1733 )
...
Remove nested `executor` found by community member!
2022-01-19 15:57:11 -07:00
40b9704888
making test manual to avoid execution errors ( #1727 )
...
* making test manual to avoid execution errors
* Update T1027.yaml
* Update T1027.yaml
2022-01-18 07:13:23 -07:00
5ca0cd8717
rebuilt T1027.yml ( #1649 )
...
* just added dasta
* adding yaml
* fixing yaml
* maintain desc spacing
* keep original spacing
* spacing
* spacing
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2021-10-15 17:14:30 -06:00
d130f2d97e
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-10-15 15:13:17 +00:00
9282894485
T1027: Add generic Command-Line Obfuscation ( #1646 )
...
* T1027: Add generic command-line obfuscation
* remove guid so a new one will be auto-assigned
Co-authored-by: Wietze <wietze.beukema@pwc.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2021-10-15 09:12:44 -06:00
1513717eb2
Updating atomics to conform to standard ( #1619 )
...
* Updated format of input_argument types for Url
* Updated type for input_arguments to Url (missed)
* Updating Path type for input_arguments
* Updated String type for input_arguments
* Missed a few Strings and Url types
* Updated default values for input_arguments to align with their types
* Updated Integer type for input_arguments
* Updated formatting and spacing of atomics
2021-09-03 18:20:46 -06:00
189ae94750
Update T1027.yaml
...
Added additional obfuscated PowerShell example.
2021-07-26 12:46:41 -07:00
1540de2d21
corrections as per BoBoSiKi008 ( #1494 )
...
see Issue #1490
2021-06-03 07:46:26 -06:00
f4a410e08e
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-05-24 21:17:46 +00:00
4c09f9d307
Update T1027.yaml ( #1469 )
...
* Update T1027.yaml
Added new techniques #5 and #6 which are test cases for testing DLP.
* Update T1027.yaml
* Create T1027-cc-macro.xlsm
* Add files via upload
* Update T1027.yaml
* Update T1027.yaml
* Update T1027.yaml
Minor Changes
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2021-05-24 15:17:27 -06:00
4fb4525bf3
small correction to handle cmd/ps executors ( #1419 )
2021-04-08 08:34:04 -06:00
7ac896f82a
Update T1027.yaml ( #1418 )
...
Because, powershell executor
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com >
2021-04-08 07:22:23 -06:00
1611d8fd07
Update T1027.yaml ( #1118 )
...
Add a line to include/force TLS1.2 in order for the prereq function to work on win2k16
All the credit to clr2of8 for sending me the string
2020-07-14 08:35:30 -06:00
4ed14355ed
add -Force to avoid error when redownloading
2020-07-02 17:37:28 -06:00
24549e3866
Convert to Mitre ATT&CK sub-technique schema ( #1056 )
...
* Initial transfer of atomics to MITRE subtechniques
* Add GUIDs back in, attack_technique to string (#1019 )
* technique to string and add guids back in
* technique to string and add guids back in
* technique to string and add guids back in
* technique to string and add guids back in
* Subtechnique transfer T1220-T1546.005 (#1020 )
* Create T1222.001.yaml
* Create T1222.002.yaml
* Create T1505.002.yaml
* Update T1543.003.yaml
* Update AtomicService.cs
* Update T1546.005.yaml
* Delete T1222.yaml
* Update T1482.yaml
* Update T1485.yaml
* Update T1220.yaml
* Update T1489.yaml
* Update T1490.yaml
* Update T1496.yaml
* Update T1505.003.yaml
* Update T1505.yaml
* Update T1518.001.yaml
* Update T1518.yaml
* Update T1529.yaml
* Update T1543.004.yaml
* Update T1546.001.yaml
* Update T1546.002.yaml
* Update T1546.002.yaml
* Update T1546.001.yaml
* Update T1543.004.yaml
* Update T1543.002.yaml
* Update T1543.001.yaml
* Update T1518.001.yaml
* Update T1546.004.yaml
* Update T1546.003.yaml
* Update T1531.yaml
* Update T1222.001.yaml
* Update T1222.002.yaml
* Update T1505.002.yaml
* Update T1505.003.yaml
* Update T1518.001.yaml
* Update T1543.001.yaml
* Update T1546.005.yaml
* Update T1546.004.yaml
* Update T1546.003.yaml
* Update T1546.002.yaml
* Update T1546.001.yaml
* Update T1543.004.yaml
* Update T1543.003.yaml
* Update T1543.002.yaml
* added auto_generated_guid 1220
* added T1222.001 auto_generated_guid
* Update T1222.002.yaml
added auto_generated_guid entries
* Update T1482.yaml
auto_generated_guid added
* Update T1485.yaml
added auto_generated_guids
* Update T1489.yaml
added auto_generated_guids
* Update T1490.yaml
added auto_generated_guids
* Update T1496.yaml
added auto_generated_guid
* Update T1505.002.yaml
added auto_generated_guid from old T1505 same atomic
* Update T1505.003.yaml
added auto_generated_guid from previous atomic 1100
* Delete T1505.yaml
no longer needed, moved to 1505.002
* Update T1518.yaml
added auto_generated_guids
* Update T1529.yaml
added auto_generated_guids
* Update T1531.yaml
added auto_generated_guids
* Update T1543.001.yaml
added auto_generated_guid
* Update T1543.002.yaml
added auto_generated_guid
* Update T1543.004.yaml
added auto_generated_guid
* Update T1546.001.yaml
added auto_generated_guid
* Update T1546.002.yaml
added auto_generated_guid
* Update T1546.003.yaml
* Update T1546.004.yaml
added auto_generated_guid
* Update T1546.005.yaml
added auto_generated_guid
* add guids back in
* fix spacing issue
* fix spacing
* fix spacing
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
* Sub-techniques T1053-T1113 - Updates (#1022 )
* Sub-techniques T1053-T1113 - Updates
Updated techniques for sub-techniques.
* minor fixes
format fixing
* Added GUIDs
- Added GUIDs back
- Fixed typo (T1054)
- Fixed attack_technique from an array to a string
* Sub-technique updates T1546.008 through T1574.011 (#1024 )
* sub technique updates
* sub technique updates
* sub technique updates
* Carrie updates (#1017 )
* updated T1110,12,13
* updated T1114
* updated T1114
* updated T1115
* updated T1119
* updated T1123,24
* updated T1127
* updated T1114
* updated T1127
* updated T1132
* T1134.004
* T1134.004
* updated T1135
* updated T1136
* updated T1137
* updated T1140
* remove depracted T1153
* updated T1176
* updated T1197
* updated T1201
* updated T1202
* updated T1204
* updated T1207
* updated T1216
* updated T1204
* updated T1217
* updated T1218
* updated T1218
* updated T1219
* updated T1218
* attack_technique to string
* Subtechnique transfer (#1025 )
* T1003 review
* T1005 manual review changes
* T1027.002 sub-technique review
* T1027.004 sub-technique review
* T1036 sub-technique review
* T1037 sub-technique review
* T1048 sub-technique review
* YAML bugfixes
* Adding auto-generated GUIDs back to tests
* merging with Mike's PR
* Merging with Carrie's PR
* fix spacing
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
* Subtechnique fix (#1026 )
* add atomic_tests: element
* add atomic_tests: element
* more fixes
* more fixes
* more fixes
* sub technique minor fixes 1 (#1027 )
* fixes
* fixes
* more fixes
* more fixes
* display name fix (#1028 )
* remove some deprecated stuff. reorganize a little (#1031 )
* Gendocs fix (#1033 )
* gendocs updates for subtechniques
* add folders
* ignore auto generated markdown files
* remove tmp files
* add tmp files
* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer
* navigator layer v3.0
* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer
Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com >
Co-authored-by: Tsora-Pop <35981510+Tsora-Pop@users.noreply.github.com >
Co-authored-by: Michael Haag <mike@redcanary.com >
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-06-17 12:55:46 -06:00
35c42f2c61
Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-15 17:19:25 +00:00
2954c1fc39
T1027 4 update ( #992 )
...
* T1027-4_Update
* T1027-4_Update
Co-authored-by: Toua Lor <tlor@nti.local >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-05-14 16:43:28 -06:00
e4ce60f9f2
Updated Descriptions ( #897 )
...
* Updated Descriptions
Updated descriptions with what to expect from successful execution.
* Update T1028.yaml
* Update T1028.yaml
* Generate docs from job=validate_atomics_generate_docs branch=description-updates
* move text to description
* Generate docs from job=validate_atomics_generate_docs branch=description-updates
* typo fix
* Generate docs from job=validate_atomics_generate_docs branch=description-updates
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-03-19 21:23:10 -06:00
6469c41198
Success Descriptions 3rd Batch ( #895 )
...
* Success Descriptions 3rd Batch
* typo fix
* wording
* typo fix
* improve description
* remove update for now
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-03-19 16:02:55 -06:00
1f74427802
Add completion description and fixes 2nd batch ( #894 )
...
* Add completion description and fixed
* fix spelling
* wording update
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-03-19 13:17:08 -06:00
4c35cdb5ff
T1027 t1053 cleanup errors ( #828 )
...
* fixed
* T1027-T1053_CleanupErrors
* T1027-T1053_CleanupErrors(2)
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-02-10 11:29:45 -07:00
6d1229ee56
T1027 Execution of base64 PowerShell ( #694 )
...
* T1027 base64-encoded PowerShell tests
* Generate docs from job=validate_atomics_generate_docs branch=t1027-base64-posh
2019-11-26 18:03:20 -07:00
1bfefdacfc
Add elevated ( #542 )
...
* provide elevation_required attribute
* provide elevation_required attribute
* provide elevation_required attribute
2019-09-03 07:34:42 -06:00
f046d56246
T1027 Obfuscated Files or Information ( #359 )
...
* T1027 Obfuscated Files or Information
* Fix extension
2018-10-01 13:40:25 -07:00
Hare Sudhan