* fix: Updating atomics YAML file structure to align with the new JSON schema definition.
This also fixes some white space issues and general line formatting across all impacted atomics.
* fix: One additional change needed
---------
Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1204.002.yaml
Added Mirror Blast technique.
* Update T1204.002.yaml
Added cleanup command to Mirror Blast Test.
* Add files via upload
Added Excel sheet with macro to download 7zip.
* Add files via upload
Information about macro in Mirror Blast.
* use PathToAtomicsFolder
* add link to blog
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Updated format of input_argument types for Url
* Updated type for input_arguments to Url (missed)
* Updating Path type for input_arguments
* Updated String type for input_arguments
* Missed a few Strings and Url types
* Updated default values for input_arguments to align with their types
* Updated Integer type for input_arguments
* Updated formatting and spacing of atomics
* Added T1204.002 Test 9 for Generic Payload Download
* Modified T1204.002 Test 9 for Generic Payload Download by adding verbage
* Modified T1204.002 Test 9 for Generic Payload Download by adding verbage
* Modified T1204.002 Test 9 for Generic Payload Download by adding examples
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Added T1204.002 test, with https://demo.wd.microsoft.com/Page/PUA test
* Make download URL configurable (so it can be mirrored locally).
Execure pua-file properly (& powershell syntax)
* Spell Remove-Item correctly...
* prereqs check should be a command, not string
* The PUA test-file is not Windows Defender centric, removing all Windows Defender references.
* Download the PUA file at test-time to check if PUA is detected when the file is downloaded
* remove comment
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* update output file name to match expected
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-1
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-1
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
* Windows LaZagne
Adding test for LaZagne on Windows to collect passwords stored in browser. Issue #1030
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Changed the ms_office_version argument on test 1-4 to pull the latest version of office from registry instead of defaulting to 16.0
Added cleanup commands to test 5
Changed commands in tests 1-4 to account for changes in ms_office_version
* Update T1204.002.yaml
Added a new atomic to simulate an adversary using a malicious word doc to stage malicious .bat files in appdata then execute them.
* Update T1204.002.yaml
made default ms_office_version more robust to handle box with multiple versions of office. It will select the latest
* Update T1204.002.yaml
added in the description what the .bat does
Koustav Choudhury