* Adding T1086 Alternate Data Stream atomic
* Added newline T1086
* Syncing changes with updstream and origin.
* Added Cleanup to Logon Scripts Atomic T1037
* Added timout to allow time for detection logic to register change.
* Fixed issue with upstream sync, Re-added timout to allow time for detection logic.
* Fixed cleanup command. Yaml tag not working to allow it to run.
* Update T1158 test 11.
Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.
Added test 6: Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. I also formatted the name of this atomic and numbers 1 and 2 to match the others e.g. ("Remote System Discovery - [tool]")
Added a new test that attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. As well I updated the names of the tests here while keeping them simple; they were duplicated and not descriptive enough.
Details: After further thought & discussion; suggesting a more precise name for atomic 4 (originally pulled here by me). Changing to "Modify registry to store logon credentials," and removing the former word "downgrade." The registry modification in this test does not actually enable a "downgrade," rather it allows the storage of auto-login credentials overall; they are resultingly stored as text, but that is not a downgrade
Testing: no testing required (only name change)
Associated Issues: none
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key.
* Added 'Elevated group enumeration using net group' + minor fix
added a new atomic ( 4), and updated attack 2 name to more clearly reflect what it is doing versus the newly added atomic (which has commands more specific to high value, elevated groups, and as well simple obfuscation)
* minor syntax fix; description clarification
* further minor clarifications to description and title
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. This is a simple atomic test that executes this unhooking behavior
Details: Adding a new atomic for support on 1107, Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. An earlier version of this was drafted by Carrie Roberts (@clr2of8 )
Testing: atomic was tested with success by another jb on Windows 10, powershell with elevated privileges
Associated Issues: will also update the .md page; no issues known
CircleCI Atomic Red Team doc generator