* added dependencies and cleanup
* Update T1010.yaml
Fixed Circle CI error
* Adjusting T1010.yaml
Using Invoke-WebRequest over .Net.WebClient
no longer deleting dependencies
* moved cs and exe files to TEMP directory
* T1010.cs back to atomics folder
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* added prereq and cleanup Commands
* removed key removal after folder is deleted
* final no prereqs
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* move emond test into correct T#
* only show cleanup with inputs if there are inputs
* remove ninja-copy test for now (broke)
* remove ninja-copy test for now (broke)
Co-authored-by: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Co-authored-by: Michael Haag <mike@redcanary.com>
* only show cleanup with inputs if there are inputs
* test
* Open Ports added to T1016
* Fix Accidental Change
* Fix type
* Fix underscore naming error
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* execute attack in separate process
* install from custom repoOwner and branch
* remove zip after install
* added showdetails brief and sleep for linux output
* remove positional param spec
* replacing special PathToAtomicsFolder in commands
* use pwsh on linux
* kill proc tree linux
* include path in remove-item
* update readme
* update readme
* update readme
Co-authored-by: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
* fixed path to /src in test 1+ minor spec fix
-updated supported platforms, duplicates
* mv hello.c to /src (delete file)
* sample c script (moved from root directory)
* Automated test 1, added clean-up to all 3 tests
-Automated test 1 (Make and modify file from C Source)
-added clean-up to all 3 tests
-added touch command to make 'default file' on tests 2 and 3 (in case no other file provided)
* added PathToAtomic varible per reviewer, added fix to avoid changing file in atomics folder
* Update T1166.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: Keith McCammon <keith@mccammon.org>
* T1096 Test to Write File in ADS
* Generate docs from job=validate_atomics_generate_docs branch=t1096-ads-write
* Adding T1096 prereq and cleanup commands
* Generate docs from job=validate_atomics_generate_docs branch=t1096-ads-write
* T1096 Fix prereq and cleanup
* Generate docs from job=validate_atomics_generate_docs branch=t1096-ads-write
Co-authored-by: Keith McCammon <keith@mccammon.org>
* Add T1490 test for Sodinokibi VSC deletion
* Generate docs from job=validate_atomics_generate_docs branch=t1490-wmiobject
* Generate docs from job=validate_atomics_generate_docs branch=t1490-wmiobject
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* lowercase url
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* first draft at dependencies
* lowercase url
* fixing yaml spacing issue
* correcting input name
* rm to del
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* show executor and privilege requirement
* added an atomic to add c2 domain under trusted zoneMap
* corrected typos
* modified adding a domain by creating one the key is not there
* moved registry modification atomic under T1112
* updated local execution file to be current
* corrected typos
* replaced rm by del for tests with executor as command_prompt
* changing rm to del for command_prompt
* Update T1102.yaml
* Update T1112.yaml
my local repo was behind. This file wasn't changed this time.
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* updates paths to files
* moving T1170.hta to the source directory
* moving mshta.sct to the /src directory
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* renaming /shells directory to /src to bring up to current project spc
* moving files...
* ..moving files..
* moving files
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* show executor and privilege requirement
* added an atomic to add c2 domain under trusted zoneMap
* corrected typos
* modified adding a domain by creating one the key is not there
* moved registry modification atomic under T1112
* updated local execution file to be current
* corrected typos
* corrected typos
* added suppression for file not found in clean up
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* show executor and privilege requirement
* added an atomic to add c2 domain under trusted zoneMap
* corrected typos
* modified adding a domain by creating one the key is not there
* moved registry modification atomic under T1112
* updated local execution file to be current
* corrected typos
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Andrew Beers