5996ff29dc
Update to T1053 to add Register-ScheduledTask ( #707 )
...
New atomic test to include Register-ScheduledTask:
https://docs.microsoft.com/en-us/powershell/module/scheduledtasks/register-scheduledtask?view=win10-ps
2019-12-05 13:17:18 -07:00
8b61643f7f
Python framework: Fix multiline powershell scripts ( #706 )
...
This fix is for many powershell based tests that have multiple lines, often setting variable names (some of them are T1101, T1098, T1084 and many more).
2019-12-03 12:49:57 -07:00
9a7998a576
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-03 19:48:22 +00:00
b69ad5f987
T1500 compile after delivery ( #700 )
...
* Add test for T1073 that does DLL Side-Loading using the Notepad++ GUP.exe binary
* Add test for T1143 that launches a hidden PowerShell Window
* Add test for T1500 that compiles C# code using csc.exe binary
* Add cleanup command for T1500 Compile_After_Delivery
* Add cleanup command for T1143-Hidden_Window
* Add cleanup command for T1073-DLL_Side-Loading
2019-12-03 12:48:04 -07:00
7232ea1789
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-03 19:45:46 +00:00
01757e0df0
Added cleanup commands to cleanup hive files created. ( #703 )
...
* Added cleanup commands to cleanup hive files created.
* Updated test to have non-ART folder output
Updated test to have a folder other than the Atomic Red Team location for the saving of results(.hive files). Updated the cleanup to reflect the change in the test. Placed folder creation at the beginning so that the o
2019-12-03 12:45:22 -07:00
00972d1fc7
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-02 16:54:49 +00:00
da80cf8259
fix tests ( #701 )
2019-12-02 09:54:21 -07:00
34b28a50d4
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-02 16:52:03 +00:00
c2e01cdb48
Fix Path To Document ( #702 )
2019-12-02 09:51:51 -07:00
7ea2f1e0a0
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-02 16:39:23 +00:00
bb945c8d61
T1088 mocking trusted directories - New Atomic ( #704 )
...
* Created rough draft for new atomic: T1088 - UAC Bypass via Mocking
Trusted Directories.
* Fixed typo in Mocked directory. Tested cleanup commands successfully.
* Fixed path of cleanup command to match change in directory of primary
command.
2019-12-02 09:39:07 -07:00
380a113809
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-02 16:37:13 +00:00
42280e035a
T1088- Added cleanup commands ( #705 )
...
* Added cleanup commands to the other atomic tests.
* Fixed cleanup command for the command_prompt version of "Bypass UAC using Fodhelper"
2019-12-02 09:36:43 -07:00
0b96ad46c7
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-27 16:07:50 +00:00
128f6054e4
recon trickbot style ( #696 )
2019-11-27 10:07:33 -06:00
6d76b77fc4
T1089 Disable AMSI & Script Block Logging ( #695 )
...
* T1089 Disable PoSH AMSI & Script Block Logging
* Generate docs from job=validate_atomics_generate_docs branch=t1089-disable-amsi-logging
2019-11-26 18:06:03 -07:00
6d1229ee56
T1027 Execution of base64 PowerShell ( #694 )
...
* T1027 base64-encoded PowerShell tests
* Generate docs from job=validate_atomics_generate_docs branch=t1027-base64-posh
2019-11-26 18:03:20 -07:00
20563e42ed
T1112 Registry Modification to Store PowerShell Code ( #693 )
...
* T1112 - Storing PoSH code in Registry
* Generate docs from job=validate_atomics_generate_docs branch=t1112-posh-code
2019-11-26 17:59:41 -07:00
979695d818
T1018 Discovery with net.exe for Domain Computers ( #692 )
...
* T1018 - Discover systems with net domain computers
* Generate docs from job=validate_atomics_generate_docs branch=t1018-net-domain-computers
2019-11-26 17:44:32 -07:00
3d06083dbe
-ShowDetails without adding '-InformationAction Continue' ( #686 )
...
* ShowDetails without -InformationAction Contnue
* ShowDetails without -InformationAction Contnue
* ShowDetails without -InformationAction Contnue
2019-11-25 11:28:08 -06:00
24415af3bb
Python execution framework fix: use any value type ( #691 )
...
* Python execution framework fix: use any value type
This change removes the function convert_to_right_type.
Currently whenever a new parameter type is added (i.e. T1058 uses type "registry"), Python script runner crashes with "An error occurred while running the suite. Value type registry does not exist!". This wouldn't be a problem if the convert_to_right_type function did some real validation but as it stands today the function convert_to_right_type doesn't really do anything (except for casting integers into strings). If a type that needs some serious validation/conversion ever comes up the function may be reinstated.
* Deleting convert_to_right_type function
2019-11-25 10:10:55 -07:00
0954cf3e57
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-25 17:06:20 +00:00
396cdf4d92
fix duplicate key in yaml issues ( #690 )
2019-11-25 11:05:55 -06:00
088081e033
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-25 16:55:57 +00:00
abefc468d2
T1137 - Word spawned a command shell and used an IP address in the command line ( #610 )
...
* create document and test
* update default atomics path
* refactor tests
* change back path
The PathToAtomicsFolder path works when installed from the script, but when closed from github the folder name is different. I think we should unify these and just have people clone from github if they want to use it, instead of having a seperate install script.
* removed duplicate, used powershell to launch document
2019-11-25 09:55:38 -07:00
1b05ec3b29
Added Hostname to ExecutionLog ( #688 )
...
* Added Hostname to ExecutionLog
* added username
2019-11-22 12:57:29 -07:00
389c115caa
removing dead links ( #687 )
2019-11-22 12:51:22 -07:00
8b64037681
remove atomic-red-team-master folder from install ( #689 )
...
* remove extra atomic-red-team-master folder for install
* remove extra atomic-red-team-master folder for install
2019-11-22 11:57:30 -07:00
5f087ec34d
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-21 03:07:05 +00:00
5bf01b6c2c
T1482 query ad/domain info ( #676 )
...
* start work
* Update T1482.yaml
2019-11-20 21:06:47 -06:00
802b693f29
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-20 22:55:45 +00:00
31151185e5
T1122 - Update to use PathToAtomicsFolder ( #681 )
...
* T1122 - Update to use PathToAtomicsFolder
Removed relative path to src folder, added PathToAtomicsFolder
* Modifying .md file
2019-11-20 15:55:28 -07:00
10a52d388b
T1077 Redirect output to Admin Share ( #685 )
...
* T1077 Redirect output to Admin Share
* Generate docs from job=validate_atomics_generate_docs branch=t1077-admin-output
2019-11-20 15:46:24 -07:00
ccb4a26407
T1082 Add Hostname and MachineGUID tests ( #683 )
...
* T1082 Add Hostname and MachineGUID tests
* Generate docs from job=validate_atomics_generate_docs branch=t1082-hostname-machineguid
2019-11-20 15:42:33 -07:00
0afc5beb6f
T1016 Firewall Rule Enumeration with Netsh ( #682 )
...
* T1016 Firewall Rule Enumeration with Netsh
* Generate docs from job=validate_atomics_generate_docs branch=t1016-firewall-enum
2019-11-20 15:38:52 -07:00
9c68146ff9
T1057 Process discovery via tasklist ( #680 )
...
* T1057 Process discovery via tasklist
* Generate docs from job=validate_atomics_generate_docs branch=t1057-tasklist
2019-11-20 15:37:48 -07:00
8eb281faa6
T1047 - Wmic process create tests ( #679 )
...
* T1047 - Wmic process create tests
* Generate docs from job=validate_atomics_generate_docs branch=t1047-wmic-process
2019-11-20 15:36:42 -07:00
4c3e2c3d83
T1018 Test for DC discovery with nltest ( #678 )
...
* T1018 Discover DCs with nltest
* Generate docs from job=validate_atomics_generate_docs branch=t1018-nltest-dclist
2019-11-20 15:34:54 -07:00
713215eaf7
Added T1064 Scripting test for Windows ( #677 )
...
* Added T1064 Scripting test for Windows
* Generate docs from job=validate_atomics_generate_docs branch=t1064-batch-script
2019-11-20 15:33:52 -07:00
947627a84d
T1105 PowerShell download test ( #684 )
...
* T1105 PowerShell download test
* Generate docs from job=validate_atomics_generate_docs branch=t1105-powershell-test
2019-11-20 15:32:40 -07:00
586684d308
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-19 22:24:59 +00:00
c5b2c92ad3
cleanup tests ( #673 )
...
* cleanup tests
* fix path issue and add elevation requirements
* fix format
* remove redundant tests
2019-11-19 15:24:45 -07:00
a49e529a34
Leverage PathToAtomicsFolder in Python framework ( #675 )
...
Parsing the command to replace PathToAtomicsFolder variable.
Can-t use environment variables as some Powershell based tests use "$PathToAtomicsFolder".
I admit that it-s a bit hackish but I think it-s the most straightforward way to handle this without going through a major refactor of this framework
2019-11-19 15:20:59 -07:00
24ff7c7173
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-19 22:14:12 +00:00
934aaa1435
T1023 LNK file to launch CMD placed in startup folders ( #674 )
...
* put lnk files in startup folder
* fix typo
2019-11-19 15:13:45 -07:00
b5db6b26fb
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 23:27:24 +00:00
ea619c49a3
create scheduled tasks a couple way to run on startup ( #672 )
2019-11-18 16:27:09 -07:00
69834f6b88
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 20:46:06 +00:00
826abe638e
windows and powershell tests to recon data and write it to temp file for export ( #671 )
2019-11-18 13:45:33 -07:00
JimmyAstle