* Moving mavinject test to T1055.001 and src cleanup #1404
* Adding Windows Command Prompt test
* Adding rundll32.exe test
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Since the user is admin the debug privilege is automatically obtained when necessary for the injection
The TTP is also clearer because mimikatz runs as the current user (used for psexec) and not as SYSTEM
macOS has an /etc/passwd file, but it doesn't actually use it under normal circumstances and user accounts are not listed there (it's just a standard default file that never changes)
As the header for the file states:
# Note that this file is consulted directly only when the system is running
# in single-user mode. At other times this information is provided by
# Open Directory.
* Added auditpol based config clear atomics
Included remove and clear switches for auditpol based logging impairment.
* add warning statement
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Let the file which will be deleted be more dynamic to allow users to define thier own using an input argument
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Added test for T1137.004 to test Outlook Home Page persistence and payload execution
* Fix ATT&CK technique numbers
Co-authored-by: inzlain <inzlain@localhost>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1113.yaml
Added prereq commands to test 3 "X Windows Capture"
* Update T1113.yaml
errors with multi-line if statement. Condensed to one line
* Update T1113.yaml
Changed prereqs of test 3 to be the redhat default. Changed prereqs of test 3 to have more input arguments
* Update T1113.yaml
Fixed typo in descriptions.
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Added Audit Policy Config based Logging Impairment
Auditpol can be used to manipulate audit log configuration. Test 3 simulates the adversary disabling certain audit policies to prevent respective events from being recorded in the log
* Add link, update test name
Adding in the Solarigate write-up link for reference and also removing the test # from the title (this gets added automatically to the Markdown file)
* added cleanup commands
Hi Carrie, The pre-req commands enables the auditpols initially so that it can be disabled when the atomic command is executed. I have copied the same syntax as pre-req to clean-up so it is reinstated. Based on additional research I have several more commands of interest I would like to add which were not part of the MS article but would be considered suspicious. Shall I add them as separate tests? i.e. sub-commands such as clear, restore, remove
* Removed the dependency section
Removed the dependency section
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
CircleCI Atomic Red Team doc generator