security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,538 Commits 47 Branches 0 Tags
python_conversion
Commit Graph

6538 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Carrie Roberts 4031861550 add quotes to fix command execution (#1401) 
Thank you @aky1286 and Issue #1400
 2021-03-10 07:55:23 -07:00
CircleCI Atomic Red Team doc generator 974e2eb8b6 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-03-10 04:09:43 +00:00
Clément Notin 2221b0715b T1055: psexec "-s" is not required (#1402) 
Since the user is admin the debug privilege is automatically obtained when necessary for the injection
The TTP is also clearer because mimikatz runs as the current user (used for psexec) and not as SYSTEM
 2021-03-09 21:09:09 -07:00
CircleCI Atomic Red Team doc generator 2fd6408411 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-03-06 04:06:46 +00:00
Carl fec19f8bef Merge pull request #1398 from YSaxon/patch-1 
remove macOS from /etc/passwd test
 2021-03-05 21:06:10 -07:00
Yaakov Saxon 32af0f1aba Merge pull request #1 from YSaxon/patch-2 
Update T1087.001.md
 2021-03-04 14:32:14 -05:00
Yaakov Saxon 7ed9ed1a3e Update T1087.001.md 2021-03-04 14:31:19 -05:00
Yaakov Saxon 9cf7f56150 remove macOS from /etc/passwd test 
macOS has an /etc/passwd file, but it doesn't actually use it under normal circumstances and user accounts are not listed there (it's just a standard default file that never changes)

As the header for the file states: 
# Note that this file is consulted directly only when the system is running
# in single-user mode.  At other times this information is provided by
# Open Directory.
 2021-03-04 14:19:29 -05:00
CircleCI Atomic Red Team doc generator 7f6de4f651 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-03-01 17:33:15 +00:00
CircleCI Atomic Red Team GUID generator 8d93e1c859 Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-03-01 17:33:08 +00:00
Carl c53797cbfc Merge pull request #1319 from cherokeejb/patch-33 
removed redundant 'sh' atomic, added nix keylogging atomic w fixes from prior commit
 2021-03-01 10:32:49 -07:00
Carl 1dd81b1687 Merge branch 'master' into patch-33 2021-03-01 10:29:07 -07:00
CircleCI Atomic Red Team doc generator 07b61288d6 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-26 15:49:41 +00:00
CircleCI Atomic Red Team GUID generator 493c343724 Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-26 15:49:35 +00:00
BlueTeamOps b91312451f Added auditpol based config clear atomics (#1392) 
* Added auditpol based config clear atomics

Included remove and clear switches for auditpol based logging impairment.

* add warning statement

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-26 08:49:14 -07:00
CircleCI Atomic Red Team doc generator 9ccb1da335 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-24 02:33:41 +00:00
Alex Jackson b1505aa7da Fix broken link (#1397) 2021-02-23 19:33:15 -07:00
CircleCI Atomic Red Team doc generator 8b527927b5 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-18 15:58:10 +00:00
McNulty 645cb4edcd Update T1485.yaml (#1395) 
Let the file which will be deleted be more dynamic to allow users to define thier own using an input argument

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-18 08:57:41 -07:00
Brian Thacker 7e974e12f2 Update qakbot.bat (#1393) 
Updated qakbot recon command list as reported by DFIR Reports: https://twitter.com/TheDFIRReport/status/1361331598344478727

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-18 08:52:00 -07:00
CircleCI Atomic Red Team doc generator 95e6b573e7 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-17 18:19:25 +00:00
Carrie Roberts ac04c34c4a Create file to delete as part of attack cmds (#1394) 
* Create file to delete as part of attack cmds

* remove sample test
 2021-02-17 18:19:00 +00:00
nobletrout 34f4512f15 add caching of techniques. performance improvement. (#1391) 2021-02-12 19:28:31 -07:00
CircleCI Atomic Red Team doc generator 881e46997b Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-11 20:47:58 +00:00
CircleCI Atomic Red Team GUID generator 8ba4d67987 Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-11 20:47:50 +00:00
Alain Homewood 6573d40801 Added test for T1137.004 to test Outlook Home Page persistence and pa… (#1381) 
* Added test for T1137.004 to test Outlook Home Page persistence and payload execution

* Fix ATT&CK technique numbers

Co-authored-by: inzlain <inzlain@localhost>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-11 13:47:27 -07:00
CircleCI Atomic Red Team doc generator 43bda07d49 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-11 17:19:00 +00:00
CircleCI Atomic Red Team GUID generator 17639d4d95 Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-11 17:18:52 +00:00
Jonhnathan 57b1728731 Update T1136.002.yaml (#1384) 
* Update T1136.002.yaml

* Adds default values, remove guid

* remove auto_generated_guid line

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-11 10:18:38 -07:00
dependabot[bot] fc3a267c82 Bump nokogiri from 1.10.10 to 1.11.1 (#1389) 
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.10 to 1.11.1.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.10...v1.11.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-11 09:45:37 -07:00
CircleCI Atomic Red Team doc generator ac3c47befe Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-11 16:17:23 +00:00
Michael Haag 6f91baab5c Update T1553.004.yaml (#1386) 
Fixed test as it was not working

Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-11 09:16:41 -07:00
CircleCI Atomic Red Team doc generator 73bdd9c307 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-11 15:59:48 +00:00
Brandon Morgan 81f2b097b5 prereq fixes (#1388) 
prereq fixes

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-11 08:59:22 -07:00
CircleCI Atomic Red Team doc generator e136a49db2 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-11 14:06:01 +00:00
CircleCI Atomic Red Team GUID generator af5fbff0f2 Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-11 14:05:53 +00:00
jtothef 3fcf639acf Create T1120.yaml (#1387) 2021-02-11 07:05:39 -07:00
CircleCI Atomic Red Team doc generator e529ce5732 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-09 18:52:32 +00:00
Brian Thacker 94791c8073 T1113 x windows capture prereqs (#1382) 
* Update T1113.yaml

Added prereq commands to test 3 "X Windows Capture"

* Update T1113.yaml

errors with multi-line if statement. Condensed to one line

* Update T1113.yaml

Changed prereqs of test 3 to be the redhat default. Changed prereqs of test 3 to have more input arguments

* Update T1113.yaml

Fixed typo in descriptions.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-09 11:51:53 -07:00
CircleCI Atomic Red Team doc generator e922799d43 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-09 18:16:39 +00:00
CircleCI Atomic Red Team GUID generator 87c5003eb5 Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-09 18:16:30 +00:00
Brian Thacker 9ae0109e92 Update T1218.010.yaml (#1383) 
Added Test 5: Regsvr32 Silent DLL Install Call DllRegisterServer

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-09 11:16:09 -07:00
CircleCI Atomic Red Team doc generator adb8256347 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-09 18:14:10 +00:00
CircleCI Atomic Red Team GUID generator c5d92bca5d Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-09 18:14:01 +00:00
BlueTeamOps f8c8fbcab1 Added Audit Policy Config based Logging Impairment (#1378) 
* Added Audit Policy Config based Logging Impairment

Auditpol can be used to manipulate audit log configuration.  Test 3 simulates the adversary disabling certain audit policies to prevent respective events from being recorded in the log

* Add link, update test name

Adding in the Solarigate write-up link for reference and also removing the test # from the title (this gets added automatically to the Markdown file)

* added cleanup commands

Hi Carrie, The pre-req commands enables the auditpols initially so that it can be disabled when the atomic command is executed.  I have copied the same syntax as pre-req to clean-up so it is reinstated. Based on additional research I have several more commands of interest I would like to add which were not part of the MS article but would be considered suspicious.  Shall I add them as separate tests? i.e. sub-commands such as clear, restore, remove

* Removed the dependency section 

Removed the dependency section

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2021-02-09 11:13:25 -07:00
CircleCI Atomic Red Team doc generator 802c6f33bc Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-03 02:33:01 +00:00
CircleCI Atomic Red Team GUID generator 333e2407af Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-03 02:32:53 +00:00
Michael Haag 05ce4209b5 procdump mini dump (#1380) 
Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com>
 2021-02-02 19:32:35 -07:00
CircleCI Atomic Red Team doc generator 16ad79e864 Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-02-01 17:01:17 +00:00
Carrie Roberts b3b1a2bb68 typo fix (#1379) 2021-02-01 10:00:51 -07:00