c1a2085e18
T1547.005 ( #2504 )
...
* updating atomics count in README.md [ci skip]
* fixed old test which was doing a cleanup during execution by saving old values to a temporary key value which can get called later
* removed acronym from name and changed argument name to standard 'payload'
* test using .dll from T1547.002 prevented system restart. reverted test to just creating registry keys but added instructions on how to execute using mimikatz
---------
Co-authored-by: publish bot <opensource@redcanary.com >
Co-authored-by: Thomas De Brelaz <thomas.de-brelaz@ubisoft.com >
2023-08-01 15:19:06 -06:00
711586d258
Tccontre max connection per server ( #2503 )
...
* updating atomics count in README.md [ci skip]
* Update T1112.yaml
---------
Co-authored-by: publish bot <opensource@redcanary.com >
2023-08-01 13:22:35 -06:00
e967e5d508
Update README.md ( #2502 )
2023-07-31 19:06:34 -06:00
12dbd01398
Modified description for Test 4 ( #2500 )
...
Co-authored-by: alphonsa-01 <NA>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-31 13:53:20 -06:00
ad51274666
force push ( #2501 )
2023-07-31 13:49:40 -06:00
6b7458f211
Add new test "Port-Scanning /24 Subnet with PowerShell" ( #2491 )
...
* Add new test "Port-Scanning /24 Subnet with PowerShell"
Test uses built-in Windows features for portscanning.
* Update T1046.yaml
* typo fix
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-31 10:26:49 -06:00
c922d75507
add generate-docs badge ( #2499 )
2023-07-29 18:42:54 -04:00
20d3a0432f
Fix Github action to generate labels for changed atomics ( #2497 )
2023-07-29 18:23:50 -04:00
0736dfbda9
Fix svg counter ( #2498 )
...
* fix svg counter
* poetry update
2023-07-29 16:18:41 -06:00
b347ec4291
Merge branch 'master' into master
2023-07-29 15:34:40 -04:00
a78b9ed805
Fixed multiple issues with the atomic test which was broken: ( #2490 )
...
- Added a spool service startype check / update required to execute at boot as the service is dissabled in many VMs,
- Removed reg delete in test preventing successful execution,
- Updated commands to deal more gracefully with errors which were sometimes interrupting cleanup,
- Fixed DLL which was also broken:
- The EnumPrintProcessorDatatypesW needed for execution was not exported
- The Payload code was outside of the EnumPrintProcessorDatatypesW which is the function that gets called when the procesor gets loaded
- Added fixed source and build commands
Co-authored-by: Thomas De Brelaz <thomas.de-brelaz@ubisoft.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-26 13:50:29 -06:00
ef1d5049ba
Update T1562.001.yaml
2023-07-26 15:11:34 -04:00
bfd59b94b9
Update T1562.008.yaml
2023-07-26 15:11:07 -04:00
a02b7b9635
Merge branch 'master' into master
2023-07-26 15:09:35 -04:00
94a98d74d3
Bump jsonschema from 4.18.3 to 4.18.4 ( #2492 )
...
Bumps [jsonschema](https://github.com/python-jsonschema/jsonschema ) from 4.18.3 to 4.18.4.
- [Release notes](https://github.com/python-jsonschema/jsonschema/releases )
- [Changelog](https://github.com/python-jsonschema/jsonschema/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/python-jsonschema/jsonschema/compare/v4.18.3...v4.18.4 )
---
updated-dependencies:
- dependency-name: jsonschema
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-26 13:04:01 -06:00
89d9a72293
Bump pyyaml from 6.0 to 6.0.1 ( #2493 )
...
Bumps [pyyaml](https://github.com/yaml/pyyaml ) from 6.0 to 6.0.1.
- [Changelog](https://github.com/yaml/pyyaml/blob/6.0.1/CHANGES )
- [Commits](https://github.com/yaml/pyyaml/compare/6.0...6.0.1 )
---
updated-dependencies:
- dependency-name: pyyaml
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-26 13:01:26 -06:00
08dae930db
Merge pull request #2495 from blueteam0ps/patch-13
...
Create T1098.002.yaml
2023-07-25 11:05:42 -05:00
6bfea60a55
Create T1098.002.yaml
2023-07-25 21:54:21 +10:00
74438b0237
use start-job ( #2489 )
2023-07-17 13:52:23 -04:00
efcd4e6fba
Added test for T1547.012 ( #2484 )
...
* Added test for T1547.012
* optionally restart
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-17 10:20:53 -06:00
34d47bee4c
Bump jsonschema from 4.17.3 to 4.18.3 ( #2488 )
...
Bumps [jsonschema](https://github.com/python-jsonschema/jsonschema ) from 4.17.3 to 4.18.3.
- [Release notes](https://github.com/python-jsonschema/jsonschema/releases )
- [Changelog](https://github.com/python-jsonschema/jsonschema/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/python-jsonschema/jsonschema/compare/v4.17.3...v4.18.3 )
---
updated-dependencies:
- dependency-name: jsonschema
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-17 10:17:13 -06:00
b26ecaa460
Create dependabot.yml ( #2482 )
...
Add automated dependabot pulls for python
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-17 09:55:11 -06:00
13b75193a8
Prakash22 k patch 1 ( #2485 )
...
* Update T1490.yaml
Adding new atomic Test for Windows - vssadmin Resize Shadowstorage Volume
* Update T1490.yaml
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-17 09:53:17 -06:00
d93ad51c4d
T1562.006 Fix test 6 and 7 ( #2486 )
...
* Fix test6 and 7
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com >
* Fix Defender key
"KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational"
---------
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com >
2023-07-17 09:35:42 -06:00
9faa7acc17
Update T1562.008.yaml
...
Removing guid field.
2023-07-12 12:45:00 -04:00
c1474350a7
Update T1562.008.yaml
2023-07-12 12:29:35 -04:00
17e2ee6f0e
Generated docs from job=generate-docs branch=master [ci skip]
2023-07-12 03:00:11 +00:00
0793bc4612
Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-07-12 02:59:53 +00:00
d01ecdbd4b
Create T1570.yaml ( #2476 )
...
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-11 20:59:08 -06:00
d1f9857ffb
Generated docs from job=generate-docs branch=master [ci skip]
2023-07-12 02:56:51 +00:00
bd7e216840
Add AWS platform to appropriate tests ( #2480 )
...
* Adjust platforms from tests
* Update T1619.yaml
* lowercase for validation fails
* Update T1619.yaml
* T1580 platform update
* revert md files
* uppercase
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-11 20:55:50 -06:00
de7da327b8
Generated docs from job=generate-docs branch=master [ci skip]
2023-07-12 02:52:24 +00:00
1597ef727e
Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-07-12 02:52:07 +00:00
54ce74dc36
Atomic Test #4 - RDP tunneling over Ngrok Cloud ( #2479 )
...
* Atomic Test #4 - RDP tunneling over Ngrok Cloud
Adding Atomic Test #4 - RDP tunneling over Ngrok Cloud to T1572
* change to int
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-07-11 20:51:26 -06:00
a77383047f
Generated docs from job=generate-docs branch=master [ci skip]
2023-07-12 02:38:27 +00:00
a7e5260a93
Add reg.exe force swith ( #2477 )
...
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com >
2023-07-11 20:36:53 -06:00
02cb591f75
Generated docs from job=generate-docs branch=master [ci skip]
2023-06-30 14:01:44 +00:00
dfd1f98327
Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-06-30 14:01:26 +00:00
d021dd01dd
Merge pull request #2475 from redcanaryco/disableamsi
...
AMSI COM
2023-06-30 07:00:41 -07:00
92e83732e6
AMSI COM
2023-06-30 07:55:02 -06:00
d63cb1a222
Generated docs from job=generate-docs branch=master [ci skip]
2023-06-28 15:58:58 +00:00
6d3d8f8a43
Adding cleanup command and modifying 7zip download link for T1560.001 Test 4 ( #2474 )
...
Co-authored-by: alphonsa-01 <NA>
2023-06-28 09:57:57 -06:00
777f3ec8b4
Generated docs from job=generate-docs branch=master [ci skip]
2023-06-26 22:18:47 +00:00
9dc2b0ad9e
Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-06-26 22:18:25 +00:00
f321b44948
New atomic Test - Driver Enumeration using driverquery ( #2473 )
...
* New atomic Test - Driver Enumeration using driverquery
* Update T1082.yaml
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-06-26 16:17:00 -06:00
e3aacfbaca
Generated docs from job=generate-docs branch=master [ci skip]
2023-06-26 21:55:02 +00:00
8f8d90d9b1
Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-06-26 21:54:44 +00:00
5a58c4aafa
Create T1562.009.yaml with "Impair Defenses - Safe Boot Mode" ( #2472 )
...
* Create T1562.009.yaml
Details:
Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot. This is achieved by modifying Boot Configuration Data (BCD) stores, which are files that manage boot application settings. Applying the following command which requires elevated privileges, causes the sytsem to boot in safe mode at next startup or restart.
"bcdedit /set safeboot network"
Testing
Testing was successfully carried out on Win 10 x64.
Cleanup commands "bcdedit /deletevalue {current} safeboot" was used to restore boot to normal
Associated Issues
None.
* Update T1562.009.yaml
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2023-06-26 15:53:53 -06:00
0bf9a391c5
Generated docs from job=generate-docs branch=master [ci skip]
2023-06-26 20:40:02 +00:00
cfaea8c1fb
Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-06-26 20:39:45 +00:00
Thomas de Brelaz