* Create T1078.001 and yaml
Creating Folder for sub technique and yaml for .001
* Update T1078.001.yaml
* Update T1078.001.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1040.yaml
Uses the built-in Windows packet capture
* Update T1040
Adding temp folder and del command to delete that trace.etl and added sleep command before and after (it does a little bit of processing when stopped) with PowerShell.
* Update T1040.yaml
Changed to use variables where possible (couldn't get %temp% to work in the command) Use a long time out (50 seconds) as it took awhile for collections to complete . Added more description to explain what artifacts are left after execution. Thanks Carrie with all your time/input spent on this to make it great.
* Update T1040.yaml
added %LOCALAPPDATA%
* Update T1040.yaml
Switched to %temp%
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Fix: only_platform circular argument reference
Remove a circular argument reference of only_platform, which was causing scripts in ./bin/ to error out when using Ruby version 2.7.
* Add T1053.001 Test 1
Co-authored-by: Billy Wilson <billy_wilson@byu.edu>
* Fix T1551 to T1070
Found that we had T1070 labeled incorrectly as T1551. MITRE pushed a fix for this per https://attack.mitre.org/resources/updates/updates-july-2020/
```
Indicator Removal on Host Was incorrectly re-IDd to T1551, restored to T1070 and its sub-techniques were changed to T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, and T1070.006
```
* Generate MD fix
Attempting to get the MD to generate
* Update enterprise-attack.json
* Generate docs from job=validate_atomics_generate_docs branch=T1070-indicator-removal-fix
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* added -accepteula flag for PsExec
will make test seamless and fully automatable
ref https://github.com/redcanaryco/atomic-red-team/issues/1092
* Added reference to making tests not require interaction like -accepteula -q options
* added -accepteula to PsExec command
will make it automated
* Added /accepteula option to Autoruns execution in test 1
prior this may have prevented full automation of the test
* Update spec.yaml
* typo, nice catch cnotin
Co-authored-by: Clément Notin <clement@notin.org>
* fixing mystery text accidentally added to branch (rm'd)
* added -accepteula on psexec test, thanks @cnotin for the catch!
* added back in word, 'manually' removed in last pull acc.
thanks @cnotin
* removing /accepteula proposed previously, from test 1
Co-authored-by: Clément Notin <clement@notin.org>
* moving shell script file to /src directory to meet spec.yaml
* fixing path to script in test 2 (just moved file in prior commit)
* fixed newline added a few mins ago
* fixed newline
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* T1021.006 evil-winrm atomic
* Update T1021.006.yaml
* Update T1021.006.yaml
fixed input args
* Update T1021.006.yaml
added Prereqs for Ruby and moved Evil-WinRM to a Prereq
* Update T1021.006.yaml
removed duplicate description and changed Ctrl + C to exit.
* Updated yaml
updated descriptions for prereqs. removed un-needed "exit" from cleanup_command.
* $env:username replaced
$env:username replaced with $env:Temp to account for when people have who have user profiles in althernative locations than C and also download to TEMP instead of Desktop.
* Removing cleanup_command
Removing cleanup_command as the evil-winrm is a prereq gem. in the future, if a cleanup_prereq_command is implemented this may be worth adding back in(gem uninstall evil-winrm -x).
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Add a line to include/force TLS1.2 in order for the prereq function to work on win2k16
All the credit to clr2of8 for sending me the string
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Add a line to include/force TLS1.2 in order for the prereq function to work on win2k16
All the credit to clr2of8 for sending me the string
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Add a line to include/force TLS1.2 in order for the prereq function to work on win2k16
All the credit to clr2of8 for sending me the string
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Jesse Moore