* Create T1595.002.yaml
* Added vbscript (griffon recon) for test 1
Script ref. (public gist) https://gist.githubusercontent.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d/raw/55ecbf8f83c36984371a335991f6cf4f2022319b/gistfile1.txt
* added run as priv user
n/a
* removed guid accidentally put in
* removed extra line
* checking syntax final
* remove dependency line
* minor updates to invoke the build process again
* removing elevation required
thanks for that additional review, carrie
* moving to T1082 per review
* adding test 8 (griffon recon)
* create griffon_recon.vbs for test 8
script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d),
and it gives the exact same recon behavior, hash mentioned in the code, as the original (minus the C2 interaction).
* moving vbs file to T1082 per review
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update maintainers.md
Remove reference to announcements channel, which has been created.
* Generate docs from job=validate_atomics_generate_docs branch=maintainers-updates
* Update maintainers.md
Updates to maintainers meeting purpose, scope, and agendas.
* Generate docs from job=validate_atomics_generate_docs branch=maintainers-updates
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Adding in Workflow Compiler Tests
This adds 2 workflow compiler tests.
1.) Test 6 will execute workflow compiler with a pre-build assembly that invokes cal.
2.) Test 7 will rename workflow compilers and execute the same pre-build assembly that invokes calc.
* minor path updates
Co-authored-by: Jimmy Astle <jastle@vmware.com>
* update output file name to match expected
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-1
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-1
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
* Windows LaZagne
Adding test for LaZagne on Windows to collect passwords stored in browser. Issue #1030
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Changed the ms_office_version argument on test 1-4 to pull the latest version of office from registry instead of defaulting to 16.0
Added cleanup commands to test 5
Changed commands in tests 1-4 to account for changes in ms_office_version
* Update T1204.002.yaml
Added a new atomic to simulate an adversary using a malicious word doc to stage malicious .bat files in appdata then execute them.
* Update T1204.002.yaml
made default ms_office_version more robust to handle box with multiple versions of office. It will select the latest
* Update T1204.002.yaml
added in the description what the .bat does
* T1014 - Driver rootkit test
Fixed Test 3 per issue #1153 .
- Added pre-req
- New comments for additional info on retrieving the capcom driver
- Added elevation required
- Added new input argument for puppetstrings.exe
Confirmed operational on win10.
* Generate docs from job=validate_atomics_generate_docs branch=T1014
* Fixed GUID
* Generate docs from job=validate_atomics_generate_docs branch=T1014
* Update used_guids.txt
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* spelling update and new test
minor spelling update and adding in test for enterprise admins group enumeration
* couple more syntax updates
couple more syntax updates
* Updating cmdline abbreviation
these are valid cmdline abbreviations. I was too quick to update :)
* Clean up swp
cleaning up swap file
* putting back original discovery commands
* one last change
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
-removed test for "bash" since in this case, the bashism does not add value or have much to do with the test
-edited requirement for restarting the service. not necessary/irrelevant to the file-change
-reviewed overall yaml per recent templates
-testing using invoke-atomic executor
Quick test for default domain administrator account enumeration
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1070.003.yaml
* Update T1078.001.yaml
* Update T1113.yaml
Remove error from screen when cleaning up for T1113-5
* Update T1197.yaml
Remove error when cleaning up for T1197-4
* Update T1562.001.yaml
Remove error from cleanup of T1562.001-23
* Update T1562.004.yaml
Remove error shown for cleanup of T15262.004-5 and T15262.004-6
* Update T1574.009.yaml
Remove error from cleanup of T1574.009-1
* Update T1553.004.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
The following [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses) has been released to simulate [T1059.001](https://attack.mitre.org/techniques/T1059/001/) in various capacities including the use of `EncodedArguments`, variations of `EncodedCommand` and command line switch types. Input arguments may be manipulated as needed to enhance simulation, which all may be found by reviewing the individual Harness code or import the ATH module and run `get-help`
Adding additional tests to:
- T1059.001 - Command and Scripting Interpreter: PowerShell
For pre-req, it will use the recently released AtomicTestHarnesses [PowerShellGallery](https://www.powershellgallery.com/packages/AtomicTestHarnesses) module using `Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force`
Confirmed all tests are operational on Windows 10, non privileged user.
JB