e940fcbe5b
Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-24 17:13:51 +00:00
7028b8b444
BugFix and Enhancement for T1086-12 ( #593 )
...
* Adding T1086 Alternate Data Stream atomic
* Added newline T1086
* Syncing changes with updstream and origin.
* Added Cleanup to Logon Scripts Atomic T1037
* Added timout to allow time for detection logic to register change.
* Fixed issue with upstream sync, Re-added timout to allow time for detection logic.
* Fixed cleanup command. Yaml tag not working to allow it to run.
* Update T1158 test 11.
Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.
* Update T1037.yaml
Moved Reg delete command under the cleanup_command tag for consistency.
* Update T1037.yaml
Moved reg removal command under cleanup_command tag for consistency.
* Update T1086.yaml
Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.
Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.
2019-10-24 10:13:16 -07:00
edcb544e79
Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-21 20:59:21 +00:00
fe8442876b
T1086_AddAtomic_PowerShellDowngradeAttack ( #578 )
...
* Added MacOS and Linux isElevated check [toso: test MacOS]
* Update Invoke-AtomicTest.ps1
* Update Invoke-AtomicTest.ps1
* Update Invoke-AtomicTest.ps1
* T1076 RDP To Domain Controller
* T1086_PWSHDowngradeAttack
* T1086_PWSHDowngradeAttack
2019-10-21 14:58:55 -06:00
af26d075f8
Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-08 18:40:28 +00:00
4f98d55d74
T1086 - Added Atomic for writing file in alternate data stream and simulating code execution. ( #582 )
...
* Adding T1086 Alternate Data Stream atomic
* Added newline T1086
2019-10-08 12:40:16 -06:00
159697cc2e
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 15:21:17 +00:00
499c751bcc
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00
d8ac1118b3
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:34:56 +00:00
1bfefdacfc
Add elevated ( #542 )
...
* provide elevation_required attribute
* provide elevation_required attribute
* provide elevation_required attribute
2019-09-03 07:34:42 -06:00
440e85a9c8
Generate docs from job=validate_atomics_generate_docs branch=master
2019-08-30 15:42:59 +00:00
75c332ac52
Generate docs from job=validate_atomics_generate_docs branch=master
2019-08-29 22:18:28 +00:00
421b5c56a3
Generate docs from job=validate_atomics_generate_docs branch=master
2019-08-09 14:22:16 +00:00
fe943551bd
Supply Invoke-AppPathBypass with Payload as argument ( #522 )
2019-08-09 08:21:58 -06:00
29da400700
Generate docs from job=validate_atomics_generate_docs branch=master
2019-05-06 16:15:35 +00:00
16f6b633ce
T1086 msxml ( #471 )
...
* Update T1086.yaml
Modified test to have both. I think it's worth having two executions in this sense as it assists with validating remote (SOC/SIEM) detection + console (stdout) detection. I'm for modifying them all, but not sure the urgency.
Issue #466
* Generate docs from job=validate_atomics_generate_docs branch=T1086MSXML
* Fixed quotes
Fixed quotes per 2nd comment on #466
* Generate docs from job=validate_atomics_generate_docs branch=T1086MSXML
2019-03-26 13:13:12 -07:00
d258111402
BloodHound URLs - T1086 ( #468 )
...
* URLs
Fix url's for issue #465
* Generate docs from job=validate_atomics_generate_docs branch=t1086
2019-03-15 10:02:19 -04:00
6965fc15ef
Generate docs from job=validate_atomics_generate_docs branch=master
2018-11-14 20:59:18 +00:00
f48234fc7f
Generate docs from job=validate_atomics_generate_docs branch=clean-up-csmith
2018-11-10 22:54:09 +00:00
11b85d5596
fix-executor
2018-11-10 15:53:55 -07:00
efd5688d9d
Generate docs from job=validate_atomics_generate_docs branch=master
2018-10-11 17:28:54 +00:00
d6e5210332
T1086 Fileless PowerShell from Registry ( #372 )
...
* T1086 Exec PoSH payload from registry
* fixed a syntax issue
2018-10-11 13:28:46 -04:00
36b00a7d20
Generate docs from job=validate_atomics_generate_docs branch=PowerShell-Executor.Command-Properties
2018-09-05 18:58:23 +00:00
165ab03d68
t1086
...
fixed a executor
2018-09-05 14:58:05 -04:00
c03d202bd5
Generate docs from job=validate_atomics_generate_docs branch=PowerShell-Executor.Command-Properties
2018-09-05 15:35:37 +00:00
b512869c36
Powershell fixes
...
Fixed per issue #322
2018-09-05 11:35:24 -04:00
58fc9342e4
Generate docs from job=validate_atomics_generate_docs branch=master
2018-07-26 22:31:58 +00:00
5cb3fed680
General YAML cleanup ( #305 )
...
* Fix string interpolation from ${foo} to #{foo} across all atomics
* remove non-ASCII characters from atomics YAML
* fix erroneous input_arguments
2018-07-26 16:31:50 -06:00
e9852d00b4
Generate docs from job=validate_atomics_generate_docs branch=T1086-mhaag
2018-07-09 16:52:30 +00:00
f5a5aa8d6a
Add Invoke-DownloadCradle by @mgreen27
...
Added @mgreen27 Invoke-DownloadCradle as method to run additional endpoint and network tests using Powershell.
2018-07-09 12:52:07 -04:00
1b6caa3baa
Generate docs from job=validate_atomics_generate_docs branch=T1086
2018-06-15 11:09:26 +00:00
a3e92e7898
Add user add to T1086
...
Add a user using PowerShell
2018-06-15 07:09:13 -04:00
8ad8d01347
Generate docs from job=validate_atomics_generate_docs branch=T1086
2018-05-25 12:49:22 +00:00
03566901e5
T1086
...
All the Powershell
2018-05-25 08:49:10 -04:00
CircleCI Atomic Red Team doc generator