security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,538 Commits 47 Branches 0 Tags
python_conversion
Commit Graph

5173 Commits

Author SHA1 Message Date
Mr B0b 23d49d8108 Add test for T1502 that performs Parent PID Spoofing (#708) 2019-12-10 15:21:34 -07:00
CircleCI Atomic Red Team doc generator e11b77f02f Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-10 18:22:55 +00:00
Micheal Fleck 3293e54771 New test, spelling fix (#717) 
Added a test for all software installed and minor spelling fix
 2019-12-10 11:22:30 -07:00
CircleCI Atomic Red Team doc generator fbda422009 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-10 18:19:40 +00:00
Andrew Beers 0c5bcef840 Batch of improvements (#716) 
* another batch of improvements

* delete duplicate test, extra cleaining pass
 2019-12-10 11:19:19 -07:00
CircleCI Atomic Red Team doc generator 890099be35 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-10 14:18:39 +00:00
Andrew Beers 0544e5e777 add psexec test (#713) 
* add psexec test

* fix misspelling

* fix misspelling for real this time

* add prereq command
 2019-12-10 07:18:26 -07:00
CircleCI Atomic Red Team doc generator bf4c7559d0 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-10 13:51:22 +00:00
Andrew Beers 48ef8edee0 Improve tests (#715) 
* continue work

* remove duplicate test, this is also in 1023

* update more tests

* cleaning pass
 2019-12-10 06:51:01 -07:00
CircleCI Atomic Red Team doc generator 7eca6e24e4 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-09 23:08:11 +00:00
Brian Thacker b943e4435e Corrected typo T1087 (#709) 
Corrected test: Enumerate all accounts via PowerShell
get-localgroupmembers -group Users -> get-localgroupmember -group Users
 2019-12-09 16:07:53 -07:00
CircleCI Atomic Red Team doc generator dc9b9e60dd Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-09 23:02:14 +00:00
Brian Thacker 5256d3ada1 Update Syntax T1040 (#710) 
Windows' tests not running because of space in "Program Files".  Added quotes to fix this. PowerShell not running exes by default.  Added call operator (&) to force this.
 2019-12-09 16:01:56 -07:00
CircleCI Atomic Red Team doc generator 08dc1f0066 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-09 23:00:45 +00:00
Brian Thacker 0c18a6ce98 T1069 Typo correction (#711) 
Small typo. Changed get-ADPrinicipalGroupMembership to get-ADPrincipalGroupMembership.
 2019-12-09 16:00:30 -07:00
CircleCI Atomic Red Team doc generator dbb75a50e1 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-05 20:17:37 +00:00
JimmyAstle 5996ff29dc Update to T1053 to add Register-ScheduledTask (#707) 
New atomic test to include Register-ScheduledTask:
https://docs.microsoft.com/en-us/powershell/module/scheduledtasks/register-scheduledtask?view=win10-ps
 2019-12-05 13:17:18 -07:00
CircleCI Atomic Red Team doc generator 9a7998a576 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-03 19:48:22 +00:00
Mr B0b b69ad5f987 T1500 compile after delivery (#700) 
* Add test for T1073 that does DLL Side-Loading using the Notepad++ GUP.exe binary

* Add test for T1143 that launches a hidden PowerShell Window

* Add test for T1500 that compiles C# code using csc.exe binary

* Add cleanup command for T1500 Compile_After_Delivery

* Add cleanup command for T1143-Hidden_Window

* Add cleanup command for T1073-DLL_Side-Loading
 2019-12-03 12:48:04 -07:00
CircleCI Atomic Red Team doc generator 7232ea1789 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-03 19:45:46 +00:00
Micheal Fleck 01757e0df0 Added cleanup commands to cleanup hive files created. (#703) 
* Added cleanup commands to cleanup hive files created.

* Updated test to have non-ART folder output

Updated test to have a folder other than the Atomic Red Team location for the saving of results(.hive files). Updated the cleanup to reflect the change in the test. Placed folder creation at the beginning so that the o
 2019-12-03 12:45:22 -07:00
CircleCI Atomic Red Team doc generator 00972d1fc7 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-02 16:54:49 +00:00
Andrew Beers da80cf8259 fix tests (#701) 2019-12-02 09:54:21 -07:00
CircleCI Atomic Red Team doc generator 34b28a50d4 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-02 16:52:03 +00:00
Andrew Beers c2e01cdb48 Fix Path To Document (#702) 2019-12-02 09:51:51 -07:00
CircleCI Atomic Red Team doc generator 7ea2f1e0a0 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-02 16:39:23 +00:00
dwhite9 bb945c8d61 T1088 mocking trusted directories - New Atomic (#704) 
* Created rough draft for new atomic: T1088 - UAC Bypass via Mocking
Trusted Directories.

* Fixed typo in Mocked directory. Tested cleanup commands successfully.

* Fixed path of cleanup command to match change in directory of primary
command.
 2019-12-02 09:39:07 -07:00
CircleCI Atomic Red Team doc generator 380a113809 Generate docs from job=validate_atomics_generate_docs branch=master 2019-12-02 16:37:13 +00:00
dwhite9 42280e035a T1088- Added cleanup commands (#705) 
* Added cleanup commands to the other atomic tests.

* Fixed cleanup command for the command_prompt version of "Bypass UAC using Fodhelper"
 2019-12-02 09:36:43 -07:00
CircleCI Atomic Red Team doc generator 0b96ad46c7 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-27 16:07:50 +00:00
Carrie Roberts 128f6054e4 recon trickbot style (#696) 2019-11-27 10:07:33 -06:00
Tony M Lambert 6d76b77fc4 T1089 Disable AMSI & Script Block Logging (#695) 
* T1089 Disable PoSH AMSI & Script Block Logging

* Generate docs from job=validate_atomics_generate_docs branch=t1089-disable-amsi-logging
 2019-11-26 18:06:03 -07:00
Tony M Lambert 6d1229ee56 T1027 Execution of base64 PowerShell (#694) 
* T1027 base64-encoded PowerShell tests

* Generate docs from job=validate_atomics_generate_docs branch=t1027-base64-posh
 2019-11-26 18:03:20 -07:00
Tony M Lambert 20563e42ed T1112 Registry Modification to Store PowerShell Code (#693) 
* T1112 - Storing PoSH code in Registry

* Generate docs from job=validate_atomics_generate_docs branch=t1112-posh-code
 2019-11-26 17:59:41 -07:00
Tony M Lambert 979695d818 T1018 Discovery with net.exe for Domain Computers (#692) 
* T1018 - Discover systems with net domain computers

* Generate docs from job=validate_atomics_generate_docs branch=t1018-net-domain-computers
 2019-11-26 17:44:32 -07:00
CircleCI Atomic Red Team doc generator 0954cf3e57 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-25 17:06:20 +00:00
Carrie Roberts 396cdf4d92 fix duplicate key in yaml issues (#690) 2019-11-25 11:05:55 -06:00
CircleCI Atomic Red Team doc generator 088081e033 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-25 16:55:57 +00:00
Andrew Beers abefc468d2 T1137 - Word spawned a command shell and used an IP address in the command line (#610) 
* create document and test

* update default atomics path

* refactor tests

* change back path

The PathToAtomicsFolder path works when installed from the script, but when closed from github the folder name is different. I think we should unify these and just have people clone from github if they want to use it, instead of having a seperate install script.

* removed duplicate, used powershell to launch document
 2019-11-25 09:55:38 -07:00
CircleCI Atomic Red Team doc generator 5f087ec34d Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-21 03:07:05 +00:00
Andrew Beers 5bf01b6c2c T1482 query ad/domain info (#676) 
* start work

* Update T1482.yaml
 2019-11-20 21:06:47 -06:00
CircleCI Atomic Red Team doc generator 802b693f29 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-20 22:55:45 +00:00
Fabricio Brunetti 31151185e5 T1122 - Update to use PathToAtomicsFolder (#681) 
* T1122 - Update to use PathToAtomicsFolder

Removed relative path to src folder, added PathToAtomicsFolder

* Modifying .md file
 2019-11-20 15:55:28 -07:00
Tony M Lambert 10a52d388b T1077 Redirect output to Admin Share (#685) 
* T1077 Redirect output to Admin Share

* Generate docs from job=validate_atomics_generate_docs branch=t1077-admin-output
 2019-11-20 15:46:24 -07:00
Tony M Lambert ccb4a26407 T1082 Add Hostname and MachineGUID tests (#683) 
* T1082 Add Hostname and MachineGUID tests

* Generate docs from job=validate_atomics_generate_docs branch=t1082-hostname-machineguid
 2019-11-20 15:42:33 -07:00
Tony M Lambert 0afc5beb6f T1016 Firewall Rule Enumeration with Netsh (#682) 
* T1016 Firewall Rule Enumeration with Netsh

* Generate docs from job=validate_atomics_generate_docs branch=t1016-firewall-enum
 2019-11-20 15:38:52 -07:00
Tony M Lambert 9c68146ff9 T1057 Process discovery via tasklist (#680) 
* T1057 Process discovery via tasklist

* Generate docs from job=validate_atomics_generate_docs branch=t1057-tasklist
 2019-11-20 15:37:48 -07:00
Tony M Lambert 8eb281faa6 T1047 - Wmic process create tests (#679) 
* T1047 - Wmic process create tests

* Generate docs from job=validate_atomics_generate_docs branch=t1047-wmic-process
 2019-11-20 15:36:42 -07:00
Tony M Lambert 4c3e2c3d83 T1018 Test for DC discovery with nltest (#678) 
* T1018 Discover DCs with nltest

* Generate docs from job=validate_atomics_generate_docs branch=t1018-nltest-dclist
 2019-11-20 15:34:54 -07:00
Tony M Lambert 713215eaf7 Added T1064 Scripting test for Windows (#677) 
* Added T1064 Scripting test for Windows

* Generate docs from job=validate_atomics_generate_docs branch=t1064-batch-script
 2019-11-20 15:33:52 -07:00