security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,538 Commits 47 Branches 0 Tags
python_conversion
Commit Graph

52 Commits

Author SHA1 Message Date
Thomas M f92569597a Add new atomic test T1055 custom uuid process injection in C, a stealthier implementation compares to the original one introduced by NCC group (#2674) 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2024-02-08 15:39:08 -06:00
Atomic Red Team GUID generator 5c63f2082e Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-12-01 21:28:45 +00:00
navsec 6879f4e317 Add tests for various shellcode running techniques using Go (#2627) 
* Adding shellcode running techniques using Go

* Removing auto-generated guid before PR

---------

Co-authored-by: navsec <navsec@navsec.net>
 2023-12-01 15:27:51 -06:00
Atomic Red Team GUID generator e76abe6a90 Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-11-17 17:28:59 +00:00
Hare Sudhan 2f26d9917a Duplicate guid fix (#2609) 
* duplicate guid fix

* duplicate guid fix
 2023-11-17 09:28:12 -08:00
Thomas Meng d133634d49 Process injection RWX injection / Mockingjay local injection (#2587) 
* This should be a short message describing what changed.

* The new process injection technique: RWX injection AKA Mockingjay under T1055

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2023-11-07 14:01:21 -08:00
Carrie Roberts d4709021fb Handle spaces in file paths (#2535) 
* updating atomics count in README.md [ci skip]

* wip

* handle spaces in path

* update readme

* fix typo

---------

Co-authored-by: publish bot <opensource@redcanary.com>
 2023-09-22 10:47:25 -06:00
Atomic Red Team GUID generator a68b2cfabe Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-09-12 02:52:08 +00:00
art-labs 0c57c49f1b Update T1055.yaml (#2526) 
removing invalid guid. a new one will be automatically assigned by github actions
 2023-09-11 20:51:30 -06:00
Thomas Meng 886ede1606 Process injection dirty vanity (#2520) 
* Add new T1055 process injection test named dirty vanity

* Fix typos

* Update build.bat

* Delete atomics/T1055/T1055.yaml.bak

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2023-09-06 12:28:11 -06:00
Carrie Roberts 068d32b1ea use ExternalPayloads directory (#2460) 
* use ExternalPayloads directory

* use ExternalPayloads directory

* use ExternalPayloads directory
 2023-06-15 10:16:12 -06:00
Carrie Roberts a568b296ee add -UseBasicParsing (#2405) 
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
 2023-04-27 09:14:01 -06:00
Josh Rickard a5dd0813cd fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323) 
* fix: Updating atomics YAML file structure to align with the new JSON schema definition.

This also fixes some white space issues and general line formatting across all impacted atomics.

* fix: One additional change needed

---------

Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2023-02-13 16:10:37 -07:00
Atomic Red Team GUID generator 7eb64678b5 Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-01-10 23:37:01 +00:00
tr4cefl0w 43a42402af adding Section View injection (#2275) 2023-01-10 16:36:25 -07:00
tlor89 cf8cae7466 T1055 (#2177) 
* T1055

* Update input args description

Co-authored-by: Toua Lor <tlor@nti.local>
 2022-10-04 16:33:02 -06:00
Carrie Roberts 869f7e880d mimi prereq fixes (#2163) 
* mimi prereq fixes

* fix url to helper
 2022-09-26 11:40:00 -06:00
Josh Rickard 1513717eb2 Updating atomics to conform to standard (#1619) 
* Updated format of input_argument types for Url

* Updated type for input_arguments to Url (missed)

* Updating Path type for input_arguments

* Updated String type for input_arguments

* Missed a few Strings and Url types

* Updated default values for input_arguments to align with their types

* Updated Integer type for input_arguments

* Updated formatting and spacing of atomics
 2021-09-03 18:20:46 -06:00
Arioch 50e36cb7e7 Update hardcoded Mimikatz releases download URLs (#1604) 
* update references to hardcoded mimikatz releases

* update invoke-webreauest parameters

* apply -UseBasicParsing consistently to Invoke-WebRequest calls

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-08-23 15:08:54 -06:00
Arioch 5ea85dab6d T1055-2: update mimikatz download url (#1602) 
* update mimikatz download url

* fix minor typo

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-08-18 15:27:26 -06:00
Clément Notin 1a4c4a97d2 Improve discoverability of "Active Directory" attacks (#1544) 2021-07-07 11:38:22 -06:00
Carrie Roberts c0e5117730 moving invoke-maldoc into art repo 2021-07-01 20:11:10 -06:00
SecurityShrimp 42799b033d added TLS/SSL v1.2 enabling commands to any atomic test utilizing IWR (#1519) 
* Update T1204.002.md

Added lines to each test using IWR for invoke-webrequest to set the acceptable TLS versions for the commands to complete successfully by prepending the tests with 

```[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12```

* Update T1555.yaml

added line to set ssl/tls version

* Update T1134.001.yaml

updated IWR lines to allow ssl/tls version 1.2

* Update T1069.002.yaml

added lines to every IWR instance to set ssl/tls version to 1.2

* Update T1558.003.yaml

added line to allow TLS/SSL 1.2

* Update T1033.yaml

added command to enable SSL/TLS v1.2

* Update T1055.012.yaml

added command to enable TLS/SSL v1.2

* Update T1115.yaml

Added command to enable SSL/TLS v1.2

* Update T1070.001.yaml

added command enabling SSL/TLS v 1.2

* Update T1564.yaml

added commands to enable SSL/TLS v 1.2

* Update T1566.001.yaml

added command to enable SSL/TLS V1.2

* Update T1135.yaml

added command to enable SSL/TLS v1.2

* Update T1055.yaml

added commands to enable TLS/SSL v 1.2

* Update T1110.003.yaml

added command to enable TLS/SSL v1.2

* Update T1003.yaml

Added command to enable TLS/SSL v1.2

* Update T1053.005.yaml

added command to enable TLS/SSL v1.2

* Update T1003.001.yaml

added commands to enable TLS/SSL v1.2 for any command using invoke-webrequest

* Update T1069.002.yaml

syntax correction

* Update T1134.001.yaml

syntax correction

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-06-16 12:41:04 -06:00
Carrie Roberts 8b6c9af427 add usebasicparsing flag (#1410) 2021-04-02 07:28:29 -06:00
Matt Graeber 80415a586f Moving mavinject test to T1055.001 and src cleanup #1404 (#1405) 
* Moving mavinject test to T1055.001 and src cleanup #1404

* Adding Windows Command Prompt test

* Adding rundll32.exe test

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-03-13 07:22:36 -07:00
Clément Notin 2221b0715b T1055: psexec "-s" is not required (#1402) 
Since the user is admin the debug privilege is automatically obtained when necessary for the injection
The TTP is also clearer because mimikatz runs as the current user (used for psexec) and not as SYSTEM
 2021-03-09 21:09:09 -07:00
Clément Notin b0a0bbc66e T1055: add new test "Remote Process Injection in LSASS via mimikatz" (#1353) 
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com>
Co-authored-by: Clément Notin <clement.notin@alsid.com>

Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com>
 2021-01-06 11:42:08 -07:00
Keith McCammon 28086402e2 Maintainers updates (#1328) 
* Update maintainers.md

Remove reference to announcements channel, which has been created.

* Generate docs from job=validate_atomics_generate_docs branch=maintainers-updates

* Update maintainers.md

Updates to maintainers meeting purpose, scope, and agendas.

* Generate docs from job=validate_atomics_generate_docs branch=maintainers-updates

Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-12-15 14:18:41 -07:00
Ama Smuggle Avocados 9e352ddc2d Shellcodevba (#1326) 
* initial push for T1055 (Shellcode execution via VBA)

* updates

* updates

* updates

Co-authored-by: avocado <avocados@smuggler.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-12-11 07:55:17 -07:00
Clément Notin d7f38267d5 T1055: tech 1, launch visible notepad (#1035) 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-06-29 16:46:15 -06:00
Carrie Roberts 24549e3866 Convert to Mitre ATT&CK sub-technique schema (#1056) 
* Initial transfer of atomics to MITRE subtechniques

* Add GUIDs back in, attack_technique to string (#1019)

* technique to string and add guids back in

* technique to string and add guids back in

* technique to string and add guids back in

* technique to string and add guids back in

* Subtechnique transfer T1220-T1546.005 (#1020)

* Create T1222.001.yaml

* Create T1222.002.yaml

* Create T1505.002.yaml

* Update T1543.003.yaml

* Update AtomicService.cs

* Update T1546.005.yaml

* Delete T1222.yaml

* Update T1482.yaml

* Update T1485.yaml

* Update T1220.yaml

* Update T1489.yaml

* Update T1490.yaml

* Update T1496.yaml

* Update T1505.003.yaml

* Update T1505.yaml

* Update T1518.001.yaml

* Update T1518.yaml

* Update T1529.yaml

* Update T1543.004.yaml

* Update T1546.001.yaml

* Update T1546.002.yaml

* Update T1546.002.yaml

* Update T1546.001.yaml

* Update T1543.004.yaml

* Update T1543.002.yaml

* Update T1543.001.yaml

* Update T1518.001.yaml

* Update T1546.004.yaml

* Update T1546.003.yaml

* Update T1531.yaml

* Update T1222.001.yaml

* Update T1222.002.yaml

* Update T1505.002.yaml

* Update T1505.003.yaml

* Update T1518.001.yaml

* Update T1543.001.yaml

* Update T1546.005.yaml

* Update T1546.004.yaml

* Update T1546.003.yaml

* Update T1546.002.yaml

* Update T1546.001.yaml

* Update T1543.004.yaml

* Update T1543.003.yaml

* Update T1543.002.yaml

* added auto_generated_guid 1220

* added T1222.001 auto_generated_guid

* Update T1222.002.yaml

added   auto_generated_guid entries

* Update T1482.yaml

  auto_generated_guid added

* Update T1485.yaml

added   auto_generated_guids

* Update T1489.yaml

added   auto_generated_guids

* Update T1490.yaml

added   auto_generated_guids

* Update T1496.yaml

added   auto_generated_guid

* Update T1505.002.yaml

added   auto_generated_guid from old T1505 same atomic

* Update T1505.003.yaml

added  auto_generated_guid from previous atomic 1100

* Delete T1505.yaml

no longer needed, moved to 1505.002

* Update T1518.yaml

added  auto_generated_guids

* Update T1529.yaml

added   auto_generated_guids

* Update T1531.yaml

added   auto_generated_guids

* Update T1543.001.yaml

added   auto_generated_guid

* Update T1543.002.yaml

added   auto_generated_guid

* Update T1543.004.yaml

added   auto_generated_guid

* Update T1546.001.yaml

added   auto_generated_guid

* Update T1546.002.yaml

added   auto_generated_guid

* Update T1546.003.yaml

* Update T1546.004.yaml

added  auto_generated_guid

* Update T1546.005.yaml

added  auto_generated_guid

* add guids back in

* fix spacing issue

* fix spacing

* fix spacing

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

* Sub-techniques T1053-T1113 - Updates (#1022)

* Sub-techniques T1053-T1113 - Updates

Updated techniques for sub-techniques.

* minor fixes

format fixing

* Added GUIDs

- Added GUIDs back
- Fixed typo (T1054)
- Fixed attack_technique from an array to a string

* Sub-technique updates T1546.008 through T1574.011 (#1024)

* sub technique updates

* sub technique updates

* sub technique updates

* Carrie updates (#1017)

* updated T1110,12,13

* updated T1114

* updated T1114

* updated T1115

* updated T1119

* updated T1123,24

* updated T1127

* updated T1114

* updated T1127

* updated T1132

* T1134.004

* T1134.004

* updated T1135

* updated T1136

* updated T1137

* updated T1140

* remove depracted T1153

* updated T1176

* updated T1197

* updated T1201

* updated T1202

* updated T1204

* updated T1207

* updated T1216

* updated T1204

* updated T1217

* updated T1218

* updated T1218

* updated T1219

* updated T1218

* attack_technique to string

* Subtechnique transfer (#1025)

* T1003 review

* T1005 manual review changes

* T1027.002 sub-technique review

* T1027.004 sub-technique review

* T1036 sub-technique review

* T1037 sub-technique review

* T1048 sub-technique review

* YAML bugfixes

* Adding auto-generated GUIDs back to tests

* merging with Mike's PR

* Merging with Carrie's PR

* fix spacing

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

* Subtechnique fix (#1026)

* add atomic_tests: element

* add atomic_tests: element

* more fixes

* more fixes

* more fixes

* sub technique minor fixes 1 (#1027)

* fixes

* fixes

* more fixes

* more fixes

* display name fix (#1028)

* remove some deprecated stuff. reorganize a little (#1031)

* Gendocs fix (#1033)

* gendocs updates for subtechniques

* add folders

* ignore auto generated markdown files

* remove tmp files

* add tmp files

* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer

* navigator layer v3.0

* Generate docs from job=validate_atomics_generate_docs branch=subtechnique_transfer

Co-authored-by: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com>
Co-authored-by: Tsora-Pop <35981510+Tsora-Pop@users.noreply.github.com>
Co-authored-by: Michael Haag <mike@redcanary.com>
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
 2020-06-17 12:55:46 -06:00
Brian Thacker 2cc548c118 Fix typo t1055 t1100 t1010 (#1007) 
* Path correction test 4

T1055 test 4 default path of exe_binary did not work on a standard system nor provide the flexibility of an input argument.

* Update T1100.yaml

Added /q (quiet mode) to the cleanup command to prevent command from hanging.

* Update T1010.yaml

Test 1 used a default path with an environment variable naming schema used with powershell not the executor command_prompt.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-05-21 16:27:29 -06:00
Andrew Beers f8cd169ca3 Move test to T1105 (#1000) 2020-05-20 09:58:20 -06:00
CircleCI Atomic Red Team doc generator 35c42f2c61 Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-15 17:19:25 +00:00
hypnoticpattern 57197a9a6f T1009, T1014, T1055, T1215: Added dependencies (#958) 
Co-authored-by: hypnoticpattern <>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-04-28 11:03:53 -06:00
Andrew Beers 1e601b4b9c Fix description, remove broken test (#904) 
* start work

* fix test to run 64 bit version

* delete broken test

* fix merge conflicts

* merge

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-03-23 14:56:18 -06:00
Michael Haag ab0b391ac0 Updated Descriptions (#899) 
* Updated Descriptions

Batch of description updates to assist with understand what a test will do.

* Update T1055.yaml

* Update T1055.yaml

Trying to fix this...

* Update T1055.yaml

fixing again

* Update T1055.yaml

* spacing fix

* Generate docs from job=validate_atomics_generate_docs branch=descriptions

* wording updates

* Generate docs from job=validate_atomics_generate_docs branch=descriptions

* remove cmd.exe /c prefix

* Generate docs from job=validate_atomics_generate_docs branch=descriptions

* wording update

* Generate docs from job=validate_atomics_generate_docs branch=descriptions

* add back tick

* Generate docs from job=validate_atomics_generate_docs branch=descriptions

* hashtag stuff

* Generate docs from job=validate_atomics_generate_docs branch=descriptions

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
 2020-03-20 16:48:58 -06:00
Matt Graeber c6788c5736 Atomic test bug fixes/consistency improvements (#884) 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-03-16 15:32:25 -06:00
JrOrOneEquals1 3fa4dd1c9e Fixed cleanup commands (#869) 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-03-10 17:06:14 -06:00
JrOrOneEquals1 c6d8809af3 Add prereqs (#867) 
* Added prereqs

* Added prereqs

* Add prereqs

* undeleting file

* corrections

* Corrections
 2020-03-10 17:02:52 -06:00
Brandon Morgan e93ed496ac default pid set to spoolsv (#656) 2019-11-14 15:57:07 -07:00
Carrie Roberts c648b94ff1 remove hard-coded path to atomics foler in tests (#618) 2019-11-08 11:46:46 -06:00
Andrew Beers cb5f6c91a6 T1055 svchost writing a file to a unc path (#615) 
* add test

* delete fake svchost

* Update atomics/T1055/T1055.yaml

Co-Authored-By: Keith McCammon <keith@mccammon.org>

* Update atomics/T1055/T1055.yaml

Co-Authored-By: Keith McCammon <keith@mccammon.org>
 2019-11-07 15:27:56 -07:00
Tony M Lambert 6cf9c681fd T1055 Test for LD_PRELOAD (#601) 
* T1055 Test for LD_PRELOAD

* Update T1055.yaml
 2019-11-05 12:00:58 -07:00
Carrie Roberts e206885e1d naming variable correctly so it gets replaced as a variable at execution time (#588) 2019-10-16 12:16:19 -06:00
Carrie Roberts 1bfefdacfc Add elevated (#542) 
* provide elevation_required attribute

* provide elevation_required attribute

* provide elevation_required attribute
 2019-09-03 07:34:42 -06:00
caseysmithrc a668ff07d9 T1055 process injection (#460) 
* ProcessInjection-FiveAlive

* Generate docs from job=validate_atomics_generate_docs branch=T1055-ProcessInjection
 2019-02-17 14:45:00 -08:00
Tony M Lambert b831127ab2 T1055 - Test for shared library injection on Linux (#448) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* T1055 - Added test for /etc/ld.so.preload addition
 2019-02-05 13:05:15 -08:00
caseysmithrc bd4afde020 T1055 update (#370) 
* Correct T1055 Soruce and Test

* Generate docs from job=validate_atomics_generate_docs branch=T1055-Update

* Update T1055.cpp
 2018-10-04 19:02:30 -07:00
Michael Haag b512869c36 Powershell fixes 
Fixed per issue #322
 2018-09-05 11:35:24 -04:00