7f35271b8e
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-17 19:17:51 +00:00
a969a01805
Update T1089 - AMSI Bypass ( #570 )
...
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key.
2019-09-17 13:17:34 -06:00
a27c73135a
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-17 18:48:01 +00:00
16cad4ed95
Update T1089 - AMSI Bypass cleanup ( #569 )
...
Adding in a cleanup to set the amsiInitFails variable back to false
2019-09-17 12:47:31 -06:00
d6d68477ac
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-17 18:33:39 +00:00
26263baec9
New Detection - T1089 ( #568 )
...
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. This is a simple atomic test that executes this unhooking behavior
2019-09-17 12:33:22 -06:00
29ad17b01d
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-07 01:37:43 +00:00
6f2d67e258
pipe command output to nul to keep things clean ( #559 )
2019-09-06 19:37:34 -06:00
499c751bcc
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00
440e85a9c8
Generate docs from job=validate_atomics_generate_docs branch=master
2019-08-30 15:42:59 +00:00
019b63fdb5
Support for CheckPrereqs and Cleanup Commands ( #531 )
...
* Support for CheckPrereqs and Cleanup Commands
* for powershell executor, report prereqs are met if no prereq_commands are given
* remove invoke call from end of file, commited accidentally
2019-08-30 09:42:44 -06:00
75c332ac52
Generate docs from job=validate_atomics_generate_docs branch=master
2019-08-29 22:18:28 +00:00
9f535f0547
add "elevation_required" attribute to test definition yaml ( #532 )
...
* add elevation_required attribute to test definition yaml
* Update atomic_red_team/atomic_test_template.yaml
Co-Authored-By: Brian Beyer <brianebeyer@users.noreply.github.com >
* Update atomics/T1089/T1089.yaml
Co-Authored-By: Brian Beyer <brianebeyer@users.noreply.github.com >
* Update atomics/T1089/T1089.yaml
Co-Authored-By: Brian Beyer <brianebeyer@users.noreply.github.com >
2019-08-29 16:18:07 -06:00
5898dab7e4
Generate docs from job=validate_atomics_generate_docs branch=master
2019-08-27 15:35:27 +00:00
5f846ced08
Add test to T1089 that uninstalls sysmon ( #529 )
2019-08-27 09:35:15 -06:00
6965fc15ef
Generate docs from job=validate_atomics_generate_docs branch=master
2018-11-14 20:59:18 +00:00
b1f0697d79
Generate docs from job=validate_atomics_generate_docs branch=master
2018-11-10 22:25:33 +00:00
087be15e6a
T1089 Disable IIS HTTP logging
2018-10-23 15:49:20 -05:00
eb9cf5f42c
Generate docs from job=validate_atomics_generate_docs branch=master
2018-10-03 13:57:44 +00:00
aa3bd1b063
T1089 Added test to unload Sysmon filter driver ( #366 )
2018-10-03 06:56:58 -07:00
b9391a70c3
Generate docs from job=validate_atomics_generate_docs branch=Mac-yaml
2018-05-25 16:21:32 +00:00
f09c2aef6a
Bunches of Mac converted to YAML
2018-05-25 12:21:10 -04:00
12ef382245
clean up completed md
2018-05-24 17:44:54 -06:00
65fd85dd3c
Generate docs from job=validate_atomics_generate_docs branch=uppercase-everything
2018-05-23 23:09:31 +00:00
6834971ef7
rename yaml files to capital T
2018-05-23 17:09:04 -06:00
CircleCI Atomic Red Team doc generator