* Update T1562.004.yaml
added new atomic test to open a port through Windows Firewall to any profile
* Update T1562.004.yaml
added some fixes to command and cleanup
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Implemented Domain account manipulation
* remove manually specified GUID
removing GUID so it can be assigned at merge time.
Co-authored-by: Didier Cambefort <didier.cambefort@scrt.ch>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Updated both, on both tests:
-made cleanup more in line with project spec - copy instead of mv so it never fails
-edited description so it mentions adversary
comment: I think it is good to have the prereq command, in case a host does not have that specific library installed, if not then the atomic would fail
* Update T1003.002.yaml for PowerDump
Added PowerDump to parse SAM and SYSTEM for usernames and Hash
* Add fixes
Updated with fixes.
Its not erroring with Multiple cleanup
Removed preReqs, don't need them
Removed SAM and SYSTEM file dep... PowerDump can just Dump Registry for Hashes and Usernames
* Getting permanent links to file
Added permanent link to PowerDump in BC-SECURITY Github
* updated description
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Added for both bash and sh, including cleanup and prereq. might be useful to add get_prereq later, that would make it more noisy and not truly 'living off the land', then.
* Rough implementation of T1070.001 (clear Windows event logs)
* Enhanced PS log clearing to cover all eventlogs
Co-authored-by: Jil <jil@localhost>
Co-authored-by: Michael Haag <mike@redcanary.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create sys_info.vbs
This file is to be used with a new atomic I am writing for T1059.005.
* Create sys_info.vbs
Moved vbscript to /src directory.
* Create T1059.005.yaml
Added yaml file for T1059.005
* Delete sys_info.vbs
* Update T1059.005.yaml
* Update T1059.005.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create T1078.001 and yaml
Creating Folder for sub technique and yaml for .001
* Update T1078.001.yaml
* Update T1078.001.yaml
* Update T1078.001.yaml
Added Remote Desktop Users group and the capability to have multiple RDP connections to Desktop for Guest user
* edit display name
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create T1078.001 and yaml
Creating Folder for sub technique and yaml for .001
* Update T1078.001.yaml
* Update T1078.001.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1040.yaml
Uses the built-in Windows packet capture
* Update T1040
Adding temp folder and del command to delete that trace.etl and added sleep command before and after (it does a little bit of processing when stopped) with PowerShell.
* Update T1040.yaml
Changed to use variables where possible (couldn't get %temp% to work in the command) Use a long time out (50 seconds) as it took awhile for collections to complete . Added more description to explain what artifacts are left after execution. Thanks Carrie with all your time/input spent on this to make it great.
* Update T1040.yaml
added %LOCALAPPDATA%
* Update T1040.yaml
Switched to %temp%
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Fix: only_platform circular argument reference
Remove a circular argument reference of only_platform, which was causing scripts in ./bin/ to error out when using Ruby version 2.7.
* Add T1053.001 Test 1
Co-authored-by: Billy Wilson <billy_wilson@byu.edu>
Tsora-Pop