61e9bb8e87
new atomic T1112 ( #1281 )
...
* new atomic T1112
* typo fix
Co-authored-by: P4T12ICK <pbareib@splunk.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-11-06 13:04:35 -07:00
ba178ad2b9
add prereqs for adfind tests ( #1282 )
...
* add prereqs for adfind
* typo fixes and executor change
2020-11-06 09:17:04 -07:00
9c90036704
Add elevation required ( #1277 )
...
* Add elevation required
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-12
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-11-04 08:30:24 -07:00
2ef8ebdcf1
Generate docs from job=validate_atomics_generate_docs branch=master
2020-11-04 15:24:54 +00:00
6a686bea42
Inital Commit for adfind Ryuk tests ( #1275 )
...
Ransomware actors leverage adfind to perform Active Directory recon. These tests cover most of the behaviors observed via public threat intelligence sources
Co-authored-by: Jimmy Astle <jastle@vmware.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-11-04 08:24:13 -07:00
bf4bbbb82a
Generate docs from job=validate_atomics_generate_docs branch=master
2020-11-03 22:43:32 +00:00
6fc4272218
Assume Yes for pre-req installation in Linux ( #1280 )
...
Co-authored-by: DNX <auraltension@riseup.net >
2020-11-03 15:42:58 -07:00
e1181e7384
Merge OSCD branch into master ( #1273 )
...
* Tests added
* standardize display name
* Add tests for T1134.001 Access Token Impersonation/Theft (#1236 )
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Changing to device manufacturer based test
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Add test for T1006 Direct Volume Access (#1254 )
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* [OSCD] T1036.004: Masquerade Task or Service - 2 tests (#1253 )
* T1036.004 - 2 tests added
* Update T1036.004.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* T1136.002 - 2 tests added (#1252 )
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* [OSCD] Create atomic test for T1113 for Windows (#1251 )
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* update T1564.002
* update T1564.002
* add Gatekeeper disable; add cleanup for security tools disable; add another launchagent for carbon black defense; remove Gatekeeper disable command from Gatekeeper bypass technique
* Added T1562.006 tests to emulate indicator blocking by modifying configuration files
* Removed prereq and fixed command endings
* Indirect command execution - conhost (#1265 )
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* [OSCD] Office persiststence : Office test (#1266 )
* Office persiststence : Office test
* Added technique details
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Remove index files to avoid CI complaints.
* Grr
* Generate docs from job=validate_atomics_generate_docs branch=oscd
* Generate docs from job=validate_atomics_generate_docs branch=oscd
Co-authored-by: haresudhan <code@0x6c.dev >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
Co-authored-by: gregclermont <580609+gregclermont@users.noreply.github.com >
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carl <57147304+rc-grey@users.noreply.github.com >
Co-authored-by: mrblacyk <kweinzettl@gmail.com >
Co-authored-by: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com >
Co-authored-by: Yugoslavskiy Daniil <yugoslavskiy@gmail.com >
Co-authored-by: aw350m3 <aw350m3@yandex.com >
Co-authored-by: omkargudhate22 <36105402+omkar72@users.noreply.github.com >
2020-10-29 22:54:55 -06:00
f1dacdfeb7
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-24 14:41:32 +00:00
9658f928e5
better test name ( #1261 )
...
* better name
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-14
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-10-24 08:19:12 -06:00
49285769f7
cleaner title ( #1260 )
...
* cleaner title
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-13
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-10-24 08:17:34 -06:00
8c75682918
title clarification ( #1259 )
...
* title clarification
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-12
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-10-24 08:15:58 -06:00
9e4b0e36d2
move cleanup to cleanup command ( #1258 )
...
* move cleanup to cleanup command
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-11
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-10-24 08:15:20 -06:00
c9715c0d8c
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-24 14:12:36 +00:00
c8f43265c7
Introducing AtomicTestHarnesses Tests to ART ( #1270 )
...
* Introduce AtomicTestHarness Tests to ART
Adding:
- T1134.004 - Access Token Manipulation: Parent PID Spoofing
- T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
- T1218.005 - Signed Binary Proxy Execution: Mshta
These tests utilize the recently released [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses ) to simulate the base tests from from each ATH Harness. Input arguments may be manipulated as needed to enhance simulation.
* Generate docs from job=validate_atomics_generate_docs branch=atomictestharness-tests
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-10-22 14:34:31 -06:00
7a1c4e857b
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-21 16:48:59 +00:00
29ae06b032
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-15 16:28:04 +00:00
fde64c6173
Update T1012.yaml ( #1255 )
...
Removed extra spacing
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-10-15 10:27:40 -06:00
8f72e4f710
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-14 02:21:45 +00:00
38f7dce9d8
Update T1113.yaml ( #1256 )
...
* Update T1113.yaml
Update test #4 to include a prereq that downloads ImageMagik, updated test #4 's name, and updated test #4 's description.
* fix yaml spacing
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-10-13 20:21:21 -06:00
0e54272108
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-10 14:35:26 +00:00
fad05dbdfa
Adding New Test ( #1248 )
...
* Adding New Test
Adding a new test that will invoke the command that Ryuk ransomware uses.
* more descriptive wording
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-10-10 08:35:03 -06:00
1b0994ea9e
update/clarify description ( #1247 )
...
* update/clarify description
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-10
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-10-08 12:03:40 -06:00
408a3b694c
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-08 13:45:04 +00:00
63c9f570fe
Merge branch 'master' into T1115
2020-10-08 07:41:03 -06:00
298a90bcb5
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-08 13:39:28 +00:00
3396ddc13b
Merge branch 'master' into T1098.004
2020-10-08 05:55:14 -06:00
35f08a6dc5
Merge branch 'master' into T1115
2020-10-08 05:54:49 -06:00
4e4f8a2775
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-08 02:37:06 +00:00
b206a0d7cd
Add tests for T1070.003 Clear Command History ( #1237 )
...
* feat: add t1070.003 powershell history clear commands
* feat: include preventing powershell logging
* feat: add cleanup command
* consolidate tests, fix typo
Removed the two duplicated atomics that were using aliases for Remove-Item
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-10-07 20:36:04 -06:00
a19e9e9797
Update T1115.yaml
2020-10-07 14:05:37 -06:00
a690c4ca58
Update T1098.004.yaml
2020-10-07 14:00:26 -06:00
995466a0e3
Changing elevation_required value.
2020-10-07 02:52:19 -06:00
9d574c083b
Added T1098.004 tests
2020-10-07 02:45:39 -06:00
3385770a6d
Added MacOS tests
2020-10-07 01:55:23 -06:00
8eb52117b7
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-06 16:13:36 +00:00
5ba2d3e985
Update T1550.002.yaml ( #1235 )
...
added code to make prereq commands for test 1.
2020-10-06 10:13:14 -06:00
14b746b73e
T1070.003_SSH-T
2020-09-30 14:53:20 -05:00
e497f0bce5
T1070.003_SSH-T
2020-09-30 14:46:21 -05:00
2839942c1f
SSH -T
2020-09-30 14:28:41 -05:00
23fc9289cf
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-29 15:47:51 +00:00
3cdd80d2f4
Test Case to search a user's bookmarks file from Internet Explorer ( #1227 )
...
* Lists the Ineternet Explorer bookmarks
This command lists the bookmarks for Internet Explorer that are found in the Favorites folder
* Update T1217.yaml
Also, below command can be used to achieve similar results -
dir /s /b C:\Users\%USERNAME%\Favorites
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-09-29 09:47:02 -06:00
910a2a764a
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-29 13:53:28 +00:00
f46f1788ab
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-18 18:45:01 +00:00
d3c575085f
removed cleanup command that deletes sharphound so the prereq only needs ( #1226 )
...
to be run once.
Co-authored-by: Daniel White <d0w019h@homeoffice.wal-mart.com >
2020-09-18 12:44:04 -06:00
aaf9b7500e
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-18 14:44:29 +00:00
749006a557
Fix bis
2020-09-18 16:38:41 +02:00
9e5d5c5cb2
Fix mistake
2020-09-18 16:38:10 +02:00
6000965b1e
T1028 "Windows Remote Management": split in several techniques
...
Fixes #1042
2020-09-18 15:57:11 +02:00
d68a57842a
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-16 13:57:33 +00:00
P4T12ICK