* Before: NPPSPY is installed into atomics src directories, test
looks for it in the local temp directory resulting in an error.
After: Test is changed to look for NPPSPY directly in atomics src
directory
* Change test to install prereq to local temp directory and work from
there.
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1562.004.yaml
added new atomic test to open a port through Windows Firewall to any profile
* Update T1562.004.yaml
added some fixes to command and cleanup
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Implemented Domain account manipulation
* remove manually specified GUID
removing GUID so it can be assigned at merge time.
Co-authored-by: Didier Cambefort <didier.cambefort@scrt.ch>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Updated both, on both tests:
-made cleanup more in line with project spec - copy instead of mv so it never fails
-edited description so it mentions adversary
comment: I think it is good to have the prereq command, in case a host does not have that specific library installed, if not then the atomic would fail
* Update T1003.002.yaml for PowerDump
Added PowerDump to parse SAM and SYSTEM for usernames and Hash
* Add fixes
Updated with fixes.
Its not erroring with Multiple cleanup
Removed preReqs, don't need them
Removed SAM and SYSTEM file dep... PowerDump can just Dump Registry for Hashes and Usernames
* Getting permanent links to file
Added permanent link to PowerDump in BC-SECURITY Github
* updated description
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Added for both bash and sh, including cleanup and prereq. might be useful to add get_prereq later, that would make it more noisy and not truly 'living off the land', then.
* Rough implementation of T1070.001 (clear Windows event logs)
* Enhanced PS log clearing to cover all eventlogs
Co-authored-by: Jil <jil@localhost>
Co-authored-by: Michael Haag <mike@redcanary.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create sys_info.vbs
This file is to be used with a new atomic I am writing for T1059.005.
* Create sys_info.vbs
Moved vbscript to /src directory.
* Create T1059.005.yaml
Added yaml file for T1059.005
* Delete sys_info.vbs
* Update T1059.005.yaml
* Update T1059.005.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create T1078.001 and yaml
Creating Folder for sub technique and yaml for .001
* Update T1078.001.yaml
* Update T1078.001.yaml
* Update T1078.001.yaml
Added Remote Desktop Users group and the capability to have multiple RDP connections to Desktop for Guest user
* edit display name
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Geoff Galitz