65d0f6dc5d
Zip a folder with PowerShell ( #640 )
...
* add test to compress directory and delete it
* remove cleanup command sbecause I don't have a way to test them yet
* fix paths
* fix command misspelling
* zip into C drive
* fix paths to Temp finally
* move to data staging
2019-11-18 08:28:44 -07:00
232fb47eda
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 15:19:08 +00:00
942ca94244
T1173 execute power shell script via word ddeauto ( #643 )
...
* first commit for testing file download
* update download path for ps1 to test
* update path to point to redcanary repo. Once this is merged in it will download the file
* rename document, add command
2019-11-18 08:18:56 -07:00
26bdd49b8c
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 15:17:52 +00:00
6635e0cb36
Switched executor to powershell. Fixed commandline to run correctly and ( #669 )
...
added comments for clarification.
2019-11-18 08:17:34 -07:00
275eaa9f59
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-16 00:22:19 +00:00
12518d69c4
T1504 powershell profile ( #668 )
...
* T1054 Powershell Profile take 2
* T1054 Powershell Profile Take 3
* pop calc.exe
* pop calc.exe v2
2019-11-15 17:21:59 -07:00
6bc3ec3edc
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-15 15:42:59 +00:00
80d06be3a8
Added UAC Bypass using ComputerDefaults.exe and cleanup commands ( #667 )
2019-11-15 08:42:38 -07:00
abc2f2e563
added documentation of unix-like, clean directory structure (all files in /bin or /src besides .yaml or .md) ( #664 )
...
/bin for executables
/src for source
2019-11-15 08:39:01 -07:00
c86cb7ddbf
a little bug fix ( #665 )
...
* a little bug fix
* remove invoke call at the end
2019-11-15 07:05:02 -07:00
59f2b264e9
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-15 05:02:01 +00:00
5aed1f0210
moving .ps1 source in T1056 to /src folder ( #663 )
...
* moving source code to /src
updated path of .ps1 source files here to best practices /src directory for all source code files
* moving input ps1 file for 1056, from PowerShellMafia/PowerSploit (moving file only)
moving the file to /src
* deleting file to complete move
2019-11-14 22:01:43 -07:00
33d20ffb7c
show executor and privilege requirement ( #662 )
2019-11-14 21:59:12 -07:00
3311f02362
Adding .yaml integer parser to python runner ( #639 )
...
This change is to be able to execute tests contained in T1055.yaml and T1071.yaml. Will also cover any future tests that may use that data type as argument.
2019-11-14 20:43:41 -07:00
70d795ffa2
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-15 03:38:21 +00:00
5259c936c1
Updated T1002 ( #655 )
2019-11-14 20:37:26 -07:00
ddadfbb3bf
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-14 22:57:31 +00:00
e93ed496ac
default pid set to spoolsv ( #656 )
2019-11-14 15:57:07 -07:00
41ca40f457
Broken URL ( #661 )
...
* Broken URL
Fixed broken url for test 1
* Generate docs from job=validate_atomics_generate_docs branch=t1085fix
2019-11-14 15:30:19 -06:00
9980382b3d
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-14 21:11:25 +00:00
9530b27936
T1085 deleting wrong "extra" quotation mark ( #652 )
...
There are 5 quote symbols in a single command. Executing the given command generates a JScript error "Unterminated string constant"
Deleting the extra quote causes the command to correctly open notepad.exe
2019-11-14 14:10:57 -07:00
fdd2927285
T1216 Added tests for proxied script execution ( #627 )
...
* Added script proxy tests
* Generate docs from job=validate_atomics_generate_docs branch=t1216_tests
* Moving command
* Generate docs from job=validate_atomics_generate_docs branch=t1216_tests
2019-11-14 14:07:28 -07:00
d6f8628818
T1485 Test to delete backup files similar to Ryuk ( #659 )
...
* T1485 Test to delete backup files similar to Ryuk
* Generate docs from job=validate_atomics_generate_docs branch=t1485-del-backups
2019-11-14 14:06:09 -07:00
e8d584cb5c
T1085 - Atomic Friday ( #660 )
...
* Atomic Friday - T1085 Adds
Atomic Friday - T1085 Adds
* Generate docs from job=validate_atomics_generate_docs branch=T1085
* Atomic Friday - Ready
Atomic Ready!
* Generate docs from job=validate_atomics_generate_docs branch=T1085
2019-11-14 15:04:08 -06:00
5a0e4482dd
T1089 Disable Arbitrary Security Service ( #658 )
...
* T1089 Disable Arbitrary Security Service
* spelling is hard
* Generate docs from job=validate_atomics_generate_docs branch=1089-service
2019-11-14 13:46:42 -07:00
08c4b265be
T1077 PsExec Test ( #657 )
...
* T1077 PsExec Test
* Generate docs from job=validate_atomics_generate_docs branch=t1077
2019-11-14 13:43:23 -07:00
dce95a96da
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-14 06:15:58 +00:00
c36b28eef8
Added cleanup command for fax binary ( #654 )
2019-11-13 23:15:34 -07:00
5dbf1b7864
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-13 23:42:50 +00:00
b22483e2f1
T1090 add proxy reg key ( #653 )
...
Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4
2019-11-13 16:41:46 -07:00
406b4a1f77
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-13 00:52:25 +00:00
3fdc8ee7de
Cleanup test 6, 7 ( #648 )
...
Changing default value from env:SystemRoot to env:Temp. By default, user can write to systemroot temp directory but cannot execute the cleanup commands. Correcting typo scvhost to svchost.
2019-11-12 17:51:57 -07:00
9412dc71f4
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-13 00:50:03 +00:00
95f0e151ea
create simple sdb file ( #649 )
2019-11-12 17:49:38 -07:00
52d472a70c
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 22:09:07 +00:00
fb4c322761
Added cleanup commands for test 1 & 2 ( #651 )
...
Also changed the default process for test 3 to spoolsv.exe because this exists by default on all machines.
2019-11-12 15:08:47 -07:00
e7e3b5f343
++ before check ( #650 )
2019-11-12 13:16:04 -07:00
e5da8a341a
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 07:37:40 +00:00
aa0aca3b2e
T1070 delete system logs using power shell ( #642 )
...
* stop eventlog service and delete Security.evtx logs
* add tests
* fix format error
* try 2 fix formatting
2019-11-12 00:37:19 -07:00
0a1f37aa54
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 07:26:51 +00:00
da90ca6563
T1036 malicious process masquerade as lsm ( #637 )
...
* create test, fix lined endings
* fix elevation requried
* fix file path
* fix formatting for circleci test
* misspelling
2019-11-12 00:26:37 -07:00
c3183a36fa
remove development section, Carrie's new instructions cover it ( #638 )
2019-11-12 00:21:34 -07:00
d5217939c7
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 07:09:21 +00:00
df73365c8a
Updated executor to powershell and updated command syntax. ( #635 )
2019-11-12 00:08:58 -07:00
c6ea937fb4
Fix show details bug ( #647 )
...
check prereqs with -showdetails was executing the prereq command instead of showing the details
2019-11-11 23:26:33 -07:00
7a26c61e28
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 05:57:19 +00:00
108cf663a8
Insert cleanup_command for test 2 ( #646 )
2019-11-11 22:56:53 -07:00
49f98f60ce
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 05:22:40 +00:00
bf7bc47752
Separated out Cleanup Commands ( #645 )
2019-11-11 22:22:17 -07:00
Andrew Beers