When using PowerShell remoting to Linux system where PowerShell <7.3 is installed, there is this quirk that right after connection is established, there must be nothing printed to stdout (no banner, nothing echoed in .bashrc). That's likely the reason for `-nologo` in sshd configuration [1] from my testing. Execution of the this test before this commit breaks SSH and even running cleanup command after initial test execution fails.
To prevent this test breaking SSH during described usage, default command was changed to print to file and not stdout.
Also replaced sed command in cleanup as it breaks when `command_to_add` is more complex command containing sed-specific special characters (e.g. `>`).
[1] https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core?view=powershell-7.2
Fix for systems with multiple authorized keys. Without quotes, the echo command separates new lines with space instead of new line character which breaks authorized_keys file in case there are multiple keys in the file.
* Update T1090.003.yaml
Add prereq for test 1 on batch file requirements
* Update T1090.003.yaml
fixed the spacing
* Update T1090.003.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
We have added a new atomic test with guid ffcbfaab-c9ff-470b-928c-f086b326089b that sets two registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText to display a ransom message. While executing this atomic test, the value for these registries can be configured using the switch -PromptForInputArgs. This technique has been used by many ransomwares in the past including SynAck, Grief, Maze, Pysa, Spook, DopplePaymer, Reedemer and Kangaroo. After encrypting files, ransomwares modify the Windows LegalNoticeCaption and LegalNoticeText registry keys to display a ransom message to victim at logon.
Changing the description of atomic test 251c5936-569f-42f4-9ac2-87a173b9e9b8 from "modifying the registry key" to "setting the registry key". In this context, the word "setting" sounds more appropriate than "modifying".
* Update T1204.002.yaml
Added Mirror Blast technique.
* Update T1204.002.yaml
Added cleanup command to Mirror Blast Test.
* Add files via upload
Added Excel sheet with macro to download 7zip.
* Add files via upload
Information about macro in Mirror Blast.
* use PathToAtomicsFolder
* add link to blog
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Atomic Red Team doc generator