security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,538 Commits 47 Branches 0 Tags
python_conversion
Commit Graph

5173 Commits

Author SHA1 Message Date
Gomezz6 fb4c322761 Added cleanup commands for test 1 & 2 (#651) 
Also changed the default process for test 3 to spoolsv.exe because this exists by default on all machines.
 2019-11-12 15:08:47 -07:00
CircleCI Atomic Red Team doc generator e5da8a341a Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-12 07:37:40 +00:00
Andrew Beers aa0aca3b2e T1070 delete system logs using power shell (#642) 
* stop eventlog service and delete Security.evtx logs

* add tests

* fix format error

* try 2 fix formatting
 2019-11-12 00:37:19 -07:00
CircleCI Atomic Red Team doc generator 0a1f37aa54 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-12 07:26:51 +00:00
Andrew Beers da90ca6563 T1036 malicious process masquerade as lsm (#637) 
* create test, fix lined endings

* fix elevation requried

* fix file path

* fix formatting for circleci test

* misspelling
 2019-11-12 00:26:37 -07:00
CircleCI Atomic Red Team doc generator d5217939c7 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-12 07:09:21 +00:00
dwhite9 df73365c8a Updated executor to powershell and updated command syntax. (#635) 2019-11-12 00:08:58 -07:00
CircleCI Atomic Red Team doc generator 7a26c61e28 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-12 05:57:19 +00:00
derekenjibowden 108cf663a8 Insert cleanup_command for test 2 (#646) 2019-11-11 22:56:53 -07:00
CircleCI Atomic Red Team doc generator 49f98f60ce Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-12 05:22:40 +00:00
seraran005 bf7bc47752 Separated out Cleanup Commands (#645) 2019-11-11 22:22:17 -07:00
Tony M Lambert 26e0f443b9 T1170 remote hta (#633) 
* T1170 Remote HTA test

* Generate docs from job=validate_atomics_generate_docs branch=t1170-remote-hta
 2019-11-11 07:45:07 -07:00
CircleCI Atomic Red Team doc generator 5332936f8f Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-11 01:55:17 +00:00
Carrie Roberts 36188490dc removed duplicate 'atomic_tests:' key (#631) 2019-11-10 19:54:57 -06:00
CircleCI Atomic Red Team doc generator eb9f0fbcd6 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-09 02:14:44 +00:00
Brian Thacker 940b93af67 Added two more generic tests to T1036: test 6 and test 7. Test 6 meant to masquerade non-windows exes as real windows exes. Test 7 meant to masquerade windows exes as other windows exes. Added cleanup and input arguments logic to test 6 and 7. Added a generic executable for testing masquerading a non-windows exe as a windows exe. Added source files used for creating the executable in the T1036\bin folder. (#617) 2019-11-08 19:14:13 -07:00
CircleCI Atomic Red Team doc generator 7f62513b8e Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-09 02:07:46 +00:00
fabamatic 60b045eb3c T1028 fixing parameter in powershell Invoke-Command (#630) 
* T1028 fixing named parameter in Invoke-Command

Changing computer_name for correct parameter ComputerName

* FT1028 fixing ComputerName parameter in .yaml
 2019-11-08 19:07:27 -07:00
CircleCI Atomic Red Team doc generator fa1f9d95dc Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-09 02:03:33 +00:00
fabamatic 2b9b99adcc T1022 parameters that can actually be parsed by windows command prompt (#626) 2019-11-08 19:03:10 -07:00
Tony M Lambert e2309b30af T1218 proxied binary execution tests (#628) 
* Added proxied binary execution tests

* Generate docs from job=validate_atomics_generate_docs branch=t1218_tests
 2019-11-08 18:57:19 -07:00
CircleCI Atomic Red Team doc generator 31cb175475 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-08 17:47:02 +00:00
Carrie Roberts c648b94ff1 remove hard-coded path to atomics foler in tests (#618) 2019-11-08 11:46:46 -06:00
CircleCI Atomic Red Team doc generator 43683f44af Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-07 22:28:26 +00:00
Andrew Beers cb5f6c91a6 T1055 svchost writing a file to a unc path (#615) 
* add test

* delete fake svchost

* Update atomics/T1055/T1055.yaml

Co-Authored-By: Keith McCammon <keith@mccammon.org>

* Update atomics/T1055/T1055.yaml

Co-Authored-By: Keith McCammon <keith@mccammon.org>
 2019-11-07 15:27:56 -07:00
CircleCI Atomic Red Team doc generator a86c0a5a9f Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-07 21:20:17 +00:00
azeemnow c58f6496d6 Add test for T1170 that launches local notepad via VBScript called by… (#505) 
* Add test for T1170 that launches local notepad via VBScript called by Mshta

* Apply suggestions from code review

updates to the atomic name & description

Co-Authored-By: Keith McCammon <keith@mccammon.org>

* Update T1170.yaml

updated the input_arguments type to 'path' and the default value to 'C:\Temp\mshta_notepad.vbs'

* Removed TODOs to pass validation
 2019-11-07 15:19:51 -06:00
CircleCI Atomic Red Team doc generator d2b7adfffd Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-07 21:18:14 +00:00
rsjohnson07 21b8dbe475 Update T1223.yaml (#614) 
Updated default path to detect atomic red team folder structure.
 2019-11-07 14:17:51 -07:00
CircleCI Atomic Red Team doc generator 87d70d2ef3 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-07 21:11:20 +00:00
Andrew Beers 2f9e306ec2 T1170 mshta.exe to execute vb script to execute code (#611) 
* start work

* add powershell script to list local users and groups

* remove extra command
 2019-11-07 14:10:59 -07:00
MG-RC 239ea1c6b0 Update T1518.yaml (#621) 
Seems like there is an extra tab here which is cause my yaml parser to break. 
```
yaml.scanner.ScannerError: while scanning for the next token
found character '\t' that cannot start any token
  in "<unicode string>", line 3, column 33:
    display_name: Software Discovery
```
 2019-11-07 11:38:10 -06:00
Tony M Lambert 26aad5ed5e T1085 Rundll32 vbscript execution test (#612) 
* T1085 Rundll32 vbscript execution test

* spelling is hard

* Generate docs from job=validate_atomics_generate_docs branch=t1085-vbscript
 2019-11-05 14:53:49 -07:00
CircleCI Atomic Red Team doc generator 457e6acf51 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:07:44 +00:00
dwhite9 0f77fd91fb Update T1036.yaml (#609) 
* Adding T1086 Alternate Data Stream atomic

* Added newline T1086

* Syncing changes with updstream and origin.

* Added Cleanup to Logon Scripts Atomic T1037

* Added timout to allow time for detection logic to register change.

* Fixed issue with upstream sync,  Re-added timout to allow time for detection logic.

* Fixed cleanup command. Yaml tag not working to allow it to run.

* Update T1158 test 11. 

Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.

* Update T1037.yaml

Moved Reg delete command under the cleanup_command tag for consistency.

* Update T1037.yaml

Moved reg removal command under cleanup_command tag for consistency.

* Update T1086.yaml

Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.

Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.

* Update T1036.yaml

Added Cleanup commands for the windows tests
 2019-11-05 12:07:15 -07:00
CircleCI Atomic Red Team doc generator 6170883105 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:05:50 +00:00
Jake Hill 2a7ba54263 Add test for T1518 that displays Internet Explorer Version (#605) 2019-11-05 12:05:28 -07:00
CircleCI Atomic Red Team doc generator 30b373f4d2 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:04:09 +00:00
Tony M Lambert b276cfeae6 T1529 Tests for shutdown/reboot on macOS/Linux (#599) 2019-11-05 12:03:46 -07:00
CircleCI Atomic Red Team doc generator 280b265287 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:03:00 +00:00
CircleCI Atomic Red Team doc generator 5b8e894e61 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:01:25 +00:00
Tony M Lambert 6cf9c681fd T1055 Test for LD_PRELOAD (#601) 
* T1055 Test for LD_PRELOAD

* Update T1055.yaml
 2019-11-05 12:00:58 -07:00
CircleCI Atomic Red Team doc generator 5a73c43cab Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 18:59:40 +00:00
Francisco Oca 5d4fc8a059 Fixed T1018, Remote System Discovery - sweep (#603) 
The `-o` flag exists only for the MacOs ping command, it doesn't in the Linux (Ubuntu) command.

I just removed it, it should be necessary since it is already using `-c 1`.
 2019-11-05 11:59:14 -07:00
CircleCI Atomic Red Team doc generator 5b297d6bb5 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 18:58:09 +00:00
Francisco Oca 71686f518c Fixed command for "View accounts wtih UID 0" (#602) 
It looks like it got corrupted from an old merge
 2019-11-05 11:57:05 -07:00
CircleCI Atomic Red Team doc generator a3c75c438b Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 18:52:46 +00:00
Tony M Lambert 11586e2f1a T1505 Exchange Transport Agent (#597) 2019-11-05 11:50:29 -07:00
CircleCI Atomic Red Team doc generator 1663bf7d52 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 17:14:33 +00:00
Tony M Lambert ac176d6536 T1531 Account Access Removal Tests (#598) 2019-11-05 10:14:00 -07:00