5cc2b5a88d
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-07 16:43:14 +00:00
ed7d3faabd
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-07 16:43:06 +00:00
6f40ae85f5
solarigate atomic ( #1358 )
2021-01-07 09:42:43 -07:00
fb179a30a8
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 19:39:15 +00:00
a3ad539a58
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 19:39:08 +00:00
7c1471c403
T1110.001: add test "Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos)" ( #1354 )
...
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
Co-authored-by: Clément Notin <clement.notin@alsid.com >
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
2021-01-06 12:38:52 -07:00
4dbcb20934
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 18:51:58 +00:00
a4ca274d7d
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 18:51:49 +00:00
c71444f1dc
T1110.003: add test "Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos)" ( #1349 )
...
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
Co-authored-by: Clément Notin <clement.notin@alsid.com >
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
2021-01-06 11:51:31 -07:00
0b9d36e786
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 18:47:31 +00:00
9a59eac0b8
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 18:47:22 +00:00
d5b6e69f89
T1003.006: add DCSync test ( #1352 )
...
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
Co-authored-by: Clément Notin <clement.notin@alsid.com >
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
2021-01-06 11:46:59 -07:00
603040c6e3
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 18:42:39 +00:00
90611a079a
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 18:42:30 +00:00
b0a0bbc66e
T1055: add new test "Remote Process Injection in LSASS via mimikatz" ( #1353 )
...
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
Co-authored-by: Clément Notin <clement.notin@alsid.com >
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
2021-01-06 11:42:08 -07:00
443e0318fc
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 18:35:50 +00:00
7ef584f9fd
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 18:35:42 +00:00
d50239ff57
T1558.001: add test "Golden ticket" ( #1351 )
...
* T1558.001: add test "Golden ticket"
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
Co-authored-by: Clément Notin <clement.notin@alsid.com >
* Add support for default domain SID (one less parameter to specify)
With default:
invoke-atomictest T1558.001 -InputArgs @{ "domain" = "lab.lan" ; "krbtgt_aes256_key"="xxxxx" }
[...]
mimikatz(commandline) # kerberos::golden /domain:lab.lan /sid:S-1-5-21-1891480667-311803191-3341389180 /aes256:xxxxx /user:goldenticketfakeuser /ptt
With specific SID ("toto"):
invoke-atomictest T1558.001 -InputArgs @{ "domain" = "lab.lan" ; "krbtgt_aes256_key"="xxxxx" ; "domain_sid"="toto" }
[...]
mimikatz(commandline) # kerberos::golden /domain:lab.lan /sid:toto /aes256:xxxxx /user:goldenticketfakeuser /ptt
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
2021-01-06 11:35:14 -07:00
ccb97235c4
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-06 18:20:33 +00:00
4064764c17
T1207: automate test for DCShadow ( #1350 )
...
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
Co-authored-by: Clément Notin <clement.notin@alsid.com >
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com >
2021-01-06 11:20:11 -07:00
91e05be201
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-05 23:34:56 +00:00
8c4eb62532
Update T1127.001.yaml ( #1356 )
...
Modified Atomic Test to allow for more granular control of input arguments.
Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2021-01-05 16:34:35 -07:00
4c655f1e84
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-05 23:31:24 +00:00
139ed0927e
Update T1550.003.yaml ( #1355 )
...
Added prereqs to test 1
2021-01-05 16:30:39 -07:00
aed82f6297
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-01 23:43:53 +00:00
871cab05dd
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2021-01-01 23:43:46 +00:00
bb9c4b1f6f
T1049 update ( #1347 )
...
* T1049-Update
* T1049-Update
* T1049-Update
Co-authored-by: Toua Lor <tlor@nti.local >
2021-01-01 16:43:33 -07:00
aa9f47cdae
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2020-12-29 14:18:50 +00:00
1ce97c0325
Merge pull request #1346 from redcanaryco/clr2of8-patch-2
...
update gup.exe download link
2020-12-29 09:18:20 -05:00
c4f6609515
update gup.exe download link
2020-12-28 16:02:35 -07:00
582d2e97f8
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2020-12-28 22:45:56 +00:00
d9dcbd3dec
T1070.003 test7 cleanup ( #1345 )
...
* Update T1070.003.yaml
Added cleanup command to test "Clear and Disable Bash History Logging"
* Update T1070.003.yaml
corrected spacing
* Update T1070.003.yaml
changed echo set -o to a sed replace command
2020-12-28 15:45:17 -07:00
527fd3b78b
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2020-12-28 16:19:14 +00:00
b699820fe3
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2020-12-28 16:19:04 +00:00
91e0e61c94
Adding RemoteFXvGPUDisablement.exe LOLBin coverage ( #1341 )
...
* Update T1218.yaml
Adding RemoteFXvGPUDisablement.exe LOLBIN coverage via AtomicTestHarnesses to T1218. Thanks, @MHaggis!
* Update T1218.yaml
Adding a more detailed description for this test.
* Update T1218.yaml
2020-12-28 09:18:37 -07:00
aa8e484d30
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2020-12-21 16:40:14 +00:00
9be279e20f
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2020-12-21 16:40:06 +00:00
ef3f58fe24
Merge pull request #1338 from clr2of8/icedid
...
rundll32 spawning mshta and wscript
2020-12-21 11:39:46 -05:00
24b31fa6cc
Merge branch 'master' into icedid
2020-12-21 11:38:51 -05:00
0fe0dc26c6
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
2020-12-21 16:14:07 +00:00
dbaaec1021
T1546.001 update ( #1339 )
...
* notes for updating cleanup command
* T1546.001-cleanup
Co-authored-by: Andrew Yang <ayang@nti.local >
2020-12-21 09:13:37 -07:00
fd2bbab66b
typo fix
2020-12-19 16:26:33 -07:00
e059e698ba
rundll32 spawning mshta and wscript
2020-12-19 16:17:38 -07:00
b3e7ae893f
Move CI generation of GUIDs and docs to master branch only ( #1337 )
2020-12-18 14:19:58 -07:00
5ff80f6f90
Update maintainers.md ( #1335 )
...
* Update maintainers.md
* Generate GUIDs from job=generate_and_commit_guids branch=maintainers-update
* Generate docs from job=generate_and_commit_docs branch=maintainers-update
Co-authored-by: CircleCI Atomic Red Team GUID generator <email>
2020-12-17 22:57:51 -07:00
756a90294b
Shortcut additions to user startup ( #1329 )
...
* Shortcut additions to user startup
New addition to test creating a shortcut link to an executable in a users startup directory
* Update T1547.001.yaml
* remove extra whitespace
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-12-17 07:23:03 -07:00
7ebf7536b8
Separate CI steps so Github status checks can reference the right checks ( #1334 )
...
* Separate CI steps so Github status checks can reference the right checks
* Generate docs from job=generate_docs branch=bb-separate-ci-steps
* Commit GUIDs after generating; require GUIDs before other steps
* Fix config
* Generate GUIDs from job=generate_guids branch=bb-separate-ci-steps
* Generate docs from job=generate_docs branch=bb-separate-ci-steps
* Better wording
* Update config.yml
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-12-16 11:27:51 -07:00
9a2c1350c9
Added T0178.003 for local accounts ( #1330 )
...
* Added T0178.003 for local accounts
* Update T1078.003.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-12-16 10:36:27 -07:00
b8774a1318
initial ( #1333 )
...
* initial
* hard-code to winword process
Co-authored-by: avocado <avocados@smuggler.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-12-16 09:32:10 -07:00
1eaae6d3ce
Added T1082 test 8, Griffon recon advanced tool ( #1320 )
...
* Create T1595.002.yaml
* Added vbscript (griffon recon) for test 1
Script ref. (public gist) https://gist.githubusercontent.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d/raw/55ecbf8f83c36984371a335991f6cf4f2022319b/gistfile1.txt
* added run as priv user
n/a
* removed guid accidentally put in
* removed extra line
* checking syntax final
* remove dependency line
* minor updates to invoke the build process again
* removing elevation required
thanks for that additional review, carrie
* moving to T1082 per review
* adding test 8 (griffon recon)
* create griffon_recon.vbs for test 8
script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d),
and it gives the exact same recon behavior, hash mentioned in the code, as the original (minus the C2 interaction).
* moving vbs file to T1082 per review
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-12-16 09:19:14 -07:00
CircleCI Atomic Red Team doc generator