security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,206 Commits 47 Branches 0 Tags
40ceeff8d9d953cdc41e9c924e0ec00a20609a47
Commit Graph

4206 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tony M Lambert 6ea465cf61 Fixed URL for Install-AtomicRedTeam (#632) 2019-11-10 18:43:28 -07:00
CircleCI Atomic Red Team doc generator eb9f0fbcd6 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-09 02:14:44 +00:00
Brian Thacker 940b93af67 Added two more generic tests to T1036: test 6 and test 7. Test 6 meant to masquerade non-windows exes as real windows exes. Test 7 meant to masquerade windows exes as other windows exes. Added cleanup and input arguments logic to test 6 and 7. Added a generic executable for testing masquerading a non-windows exe as a windows exe. Added source files used for creating the executable in the T1036\bin folder. (#617) 2019-11-08 19:14:13 -07:00
CircleCI Atomic Red Team doc generator 7f62513b8e Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-09 02:07:46 +00:00
fabamatic 60b045eb3c T1028 fixing parameter in powershell Invoke-Command (#630) 
* T1028 fixing named parameter in Invoke-Command

Changing computer_name for correct parameter ComputerName

* FT1028 fixing ComputerName parameter in .yaml
 2019-11-08 19:07:27 -07:00
CircleCI Atomic Red Team doc generator fa1f9d95dc Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-09 02:03:33 +00:00
fabamatic 2b9b99adcc T1022 parameters that can actually be parsed by windows command prompt (#626) 2019-11-08 19:03:10 -07:00
Tony M Lambert e2309b30af T1218 proxied binary execution tests (#628) 
* Added proxied binary execution tests

* Generate docs from job=validate_atomics_generate_docs branch=t1218_tests
 2019-11-08 18:57:19 -07:00
Carrie Roberts a611d8926b Expanding the Execution Frameworks Read me (#619) 
* updating execution-frameworks readme

* updating execution-frameworks readme
 2019-11-08 11:59:05 -06:00
Carrie Roberts ed5f9deccc remove deprecated code (#620) 2019-11-08 11:58:07 -06:00
Carrie Roberts c53e73ed96 Readme documents required Import-Module command (#622) 
* notes on importing module

* notes on importing module
 2019-11-08 11:57:08 -06:00
Carrie Roberts d73dc8f041 fix bug: returns null except on PS Core or PS v7 (#624) 2019-11-08 11:56:01 -06:00
Carrie Roberts 49ccc8e366 new default PathToAtomicsFolder value (#623) 
* new default PathToAtomicsFolder value

* better way to handle custom default path to atomics

* better way to handle custom default path to atomics
 2019-11-08 11:50:31 -06:00
CircleCI Atomic Red Team doc generator 31cb175475 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-08 17:47:02 +00:00
Carrie Roberts c648b94ff1 remove hard-coded path to atomics foler in tests (#618) 2019-11-08 11:46:46 -06:00
CircleCI Atomic Red Team doc generator 43683f44af Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-07 22:28:26 +00:00
Andrew Beers cb5f6c91a6 T1055 svchost writing a file to a unc path (#615) 
* add test

* delete fake svchost

* Update atomics/T1055/T1055.yaml

Co-Authored-By: Keith McCammon <keith@mccammon.org>

* Update atomics/T1055/T1055.yaml

Co-Authored-By: Keith McCammon <keith@mccammon.org>
 2019-11-07 15:27:56 -07:00
CircleCI Atomic Red Team doc generator a86c0a5a9f Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-07 21:20:17 +00:00
azeemnow c58f6496d6 Add test for T1170 that launches local notepad via VBScript called by… (#505) 
* Add test for T1170 that launches local notepad via VBScript called by Mshta

* Apply suggestions from code review

updates to the atomic name & description

Co-Authored-By: Keith McCammon <keith@mccammon.org>

* Update T1170.yaml

updated the input_arguments type to 'path' and the default value to 'C:\Temp\mshta_notepad.vbs'

* Removed TODOs to pass validation
 2019-11-07 15:19:51 -06:00
CircleCI Atomic Red Team doc generator d2b7adfffd Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-07 21:18:14 +00:00
rsjohnson07 21b8dbe475 Update T1223.yaml (#614) 
Updated default path to detect atomic red team folder structure.
 2019-11-07 14:17:51 -07:00
CircleCI Atomic Red Team doc generator 87d70d2ef3 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-07 21:11:20 +00:00
Andrew Beers 2f9e306ec2 T1170 mshta.exe to execute vb script to execute code (#611) 
* start work

* add powershell script to list local users and groups

* remove extra command
 2019-11-07 14:10:59 -07:00
MG-RC 239ea1c6b0 Update T1518.yaml (#621) 
Seems like there is an extra tab here which is cause my yaml parser to break. 
```
yaml.scanner.ScannerError: while scanning for the next token
found character '\t' that cannot start any token
  in "<unicode string>", line 3, column 33:
    display_name: Software Discovery
```
 2019-11-07 11:38:10 -06:00
Carrie Roberts 9bcb47ed3e warn if running admin test without admin (#616) 2019-11-06 14:07:27 -07:00
Carrie Roberts e68527d975 PathToAtomicsFolder Input Parameters auto-replaced with actual path (#613) 2019-11-06 12:53:20 -07:00
Tony M Lambert 26aad5ed5e T1085 Rundll32 vbscript execution test (#612) 
* T1085 Rundll32 vbscript execution test

* spelling is hard

* Generate docs from job=validate_atomics_generate_docs branch=t1085-vbscript
 2019-11-05 14:53:49 -07:00
CircleCI Atomic Red Team doc generator 457e6acf51 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:07:44 +00:00
dwhite9 0f77fd91fb Update T1036.yaml (#609) 
* Adding T1086 Alternate Data Stream atomic

* Added newline T1086

* Syncing changes with updstream and origin.

* Added Cleanup to Logon Scripts Atomic T1037

* Added timout to allow time for detection logic to register change.

* Fixed issue with upstream sync,  Re-added timout to allow time for detection logic.

* Fixed cleanup command. Yaml tag not working to allow it to run.

* Update T1158 test 11. 

Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.

* Update T1037.yaml

Moved Reg delete command under the cleanup_command tag for consistency.

* Update T1037.yaml

Moved reg removal command under cleanup_command tag for consistency.

* Update T1086.yaml

Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.

Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.

* Update T1036.yaml

Added Cleanup commands for the windows tests
 2019-11-05 12:07:15 -07:00
CircleCI Atomic Red Team doc generator 6170883105 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:05:50 +00:00
Jake Hill 2a7ba54263 Add test for T1518 that displays Internet Explorer Version (#605) 2019-11-05 12:05:28 -07:00
CircleCI Atomic Red Team doc generator 30b373f4d2 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:04:09 +00:00
Tony M Lambert b276cfeae6 T1529 Tests for shutdown/reboot on macOS/Linux (#599) 2019-11-05 12:03:46 -07:00
CircleCI Atomic Red Team doc generator 280b265287 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:03:00 +00:00
Tony M Lambert 7390b5ff9f Fix version warning, add legend (#600) 2019-11-05 12:02:36 -07:00
CircleCI Atomic Red Team doc generator 5b8e894e61 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 19:01:25 +00:00
Tony M Lambert 6cf9c681fd T1055 Test for LD_PRELOAD (#601) 
* T1055 Test for LD_PRELOAD

* Update T1055.yaml
 2019-11-05 12:00:58 -07:00
CircleCI Atomic Red Team doc generator 5a73c43cab Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 18:59:40 +00:00
Francisco Oca 5d4fc8a059 Fixed T1018, Remote System Discovery - sweep (#603) 
The `-o` flag exists only for the MacOs ping command, it doesn't in the Linux (Ubuntu) command.

I just removed it, it should be necessary since it is already using `-c 1`.
 2019-11-05 11:59:14 -07:00
CircleCI Atomic Red Team doc generator 5b297d6bb5 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 18:58:09 +00:00
Francisco Oca 71686f518c Fixed command for "View accounts wtih UID 0" (#602) 
It looks like it got corrupted from an old merge
 2019-11-05 11:57:05 -07:00
CircleCI Atomic Red Team doc generator a3c75c438b Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 18:52:46 +00:00
Tony M Lambert 11586e2f1a T1505 Exchange Transport Agent (#597) 2019-11-05 11:50:29 -07:00
CircleCI Atomic Red Team doc generator 1663bf7d52 Generate docs from job=validate_atomics_generate_docs branch=master 2019-11-05 17:14:33 +00:00
Tony M Lambert ac176d6536 T1531 Account Access Removal Tests (#598) 2019-11-05 10:14:00 -07:00
CircleCI Atomic Red Team doc generator 5caafe4a35 Generate docs from job=validate_atomics_generate_docs branch=master 2019-10-24 17:24:54 +00:00
waltersagehorn-praetorian b676692b7f Update T1140.md (#594) 
Parameters in wrong order in command 2 of Atomic Test 2.
Decode takes parameters in order (Infile, Outfile) (see Atomic Test 1)
Throws `ERROR_FILE_NOT_FOUND` (or `ERROR_INVALID_DATA` if the file exists)

reference: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil#-decode
 2019-10-24 10:24:26 -07:00
CircleCI Atomic Red Team doc generator d3af57d204 Generate docs from job=validate_atomics_generate_docs branch=master 2019-10-24 17:22:40 +00:00
Tony M Lambert cf791d604e T1529 - Shutdown/restart tests (#596) 2019-10-24 10:22:24 -07:00
CircleCI Atomic Red Team doc generator e940fcbe5b Generate docs from job=validate_atomics_generate_docs branch=master 2019-10-24 17:13:51 +00:00