* update output file name to match expected
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-1
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-1
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Allow the root user on Linux systems to run 'T1087.001: Account Discovery: Local Account - List opened files by user' by updating how $username is determined
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
* Windows LaZagne
Adding test for LaZagne on Windows to collect passwords stored in browser. Issue #1030
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Changed the ms_office_version argument on test 1-4 to pull the latest version of office from registry instead of defaulting to 16.0
Added cleanup commands to test 5
Changed commands in tests 1-4 to account for changes in ms_office_version
* Update T1204.002.yaml
Added a new atomic to simulate an adversary using a malicious word doc to stage malicious .bat files in appdata then execute them.
* Update T1204.002.yaml
made default ms_office_version more robust to handle box with multiple versions of office. It will select the latest
* Update T1204.002.yaml
added in the description what the .bat does
* T1014 - Driver rootkit test
Fixed Test 3 per issue #1153 .
- Added pre-req
- New comments for additional info on retrieving the capcom driver
- Added elevation required
- Added new input argument for puppetstrings.exe
Confirmed operational on win10.
* Generate docs from job=validate_atomics_generate_docs branch=T1014
* Fixed GUID
* Generate docs from job=validate_atomics_generate_docs branch=T1014
* Update used_guids.txt
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* spelling update and new test
minor spelling update and adding in test for enterprise admins group enumeration
* couple more syntax updates
couple more syntax updates
* Updating cmdline abbreviation
these are valid cmdline abbreviations. I was too quick to update :)
* Clean up swp
cleaning up swap file
* putting back original discovery commands
* one last change
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Quick test for default domain administrator account enumeration
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1070.003.yaml
* Update T1078.001.yaml
* Update T1113.yaml
Remove error from screen when cleaning up for T1113-5
* Update T1197.yaml
Remove error when cleaning up for T1197-4
* Update T1562.001.yaml
Remove error from cleanup of T1562.001-23
* Update T1562.004.yaml
Remove error shown for cleanup of T15262.004-5 and T15262.004-6
* Update T1574.009.yaml
Remove error from cleanup of T1574.009-1
* Update T1553.004.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
The following [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses) has been released to simulate [T1059.001](https://attack.mitre.org/techniques/T1059/001/) in various capacities including the use of `EncodedArguments`, variations of `EncodedCommand` and command line switch types. Input arguments may be manipulated as needed to enhance simulation, which all may be found by reviewing the individual Harness code or import the ATH module and run `get-help`
Adding additional tests to:
- T1059.001 - Command and Scripting Interpreter: PowerShell
For pre-req, it will use the recently released AtomicTestHarnesses [PowerShellGallery](https://www.powershellgallery.com/packages/AtomicTestHarnesses) module using `Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force`
Confirmed all tests are operational on Windows 10, non privileged user.
Ransomware actors leverage adfind to perform Active Directory recon. These tests cover most of the behaviors observed via public threat intelligence sources
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Ama Smuggle Avocados