Corrected the MITRE ATT&CK subtechnique name at top of the file.
Added two new tests for disabling Windows Command Line Auditing
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Test #2 for T1071.001 is currently not working properly, since the pre-requisite command is incorrect.
This change is to fix the md and yaml files to update the URL for curl
* Update T1120.yaml
Added fsutil drive discovery for the technique of Peripheral Device Discovery
* Update T1120.yaml
Made some changes due to error in the workflow
* Update T1120.yaml
Made changes to remove several items
* Update T1120.yaml
Changes made
* Update T1120.yaml
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1030.yaml Network-Based Data Transfer in Small Chunks
# Atomic Test # - T1030 - Data Transfer Size Limits: Network-Based Data Transfer in Small Chunks
## Objective
Simulate the technique of transferring data over a network in small chunks to evade size-based detection mechanisms.
## Description
This test involves transferring data over a network (either to a controlled external endpoint like `example.com`) in small, segmented sizes. This simulates an adversary's behavior in conducting stealthy data exfiltration.
* Update T1030.yaml
* Update T1030.yaml
removed clean up commands and detection
* Update T1030.yaml
* Update T1030.yaml
updated guid
* Update T1030.yaml
* Update T1030.yaml
updated intendents
* Update T1030.yaml
---------
Co-authored-by: Hare Sudhan <code@0x6c.dev>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Improve pip handling (#1)
* virtual env added to T1018, tested and confirmed working
* virtual env added to T1003.001, tested and confirmed working
* virtual env added to T1555.003, tested and confirmed working
* Removing pip-autoremove installation as not required
* updating atomics count in README.md [ci skip]
---------
Co-authored-by: Hare Sudhan <code@0x6c.dev>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: publish bot <opensource@redcanary.com>
* Adding new test for T1654 for Enumerate Windows Security Log via WevtUtil
Adding new test for T1654 for Enumerate Windows Security Log via WevtUtil
* Update T1654.yaml
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create T1137.001.yml
Created new Directory and new test for T1137.001
* Rename T1137.001.yml to T1137.001.yaml
* Update T1137.001.yaml
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* adding ASR rules deletion
* adding ASR rules deletion
* adding ASR rules deletion
* adding ASR rules deletion
* adding ASR rules deletion
* adding ASR rules deletion
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Add new atomic test T1027.007 Obfuscated Files or Information: Dynamic API Resolution
* Add new atomic test T1027.007 Obfuscated Files or Information: Dynamic API Resolution
* Add new atomic test T1027.007 Obfuscated Files or Information: Dynamic API Resolution
* Add new atomic test T1027.007 Obfuscated Files or Information: Dynamic API Resolution
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Badoodish