security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,478 Commits 47 Branches 0 Tags
8d9e66adf968dd824d91a005bd6fb052d6cf7ee8
Commit Graph

4478 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Hare Sudhan 8d9e66adf9 Update readme 2022-10-13 23:50:01 -04:00
Hare Sudhan 6841c430cb poc added 2022-10-13 23:42:40 -04:00
Atomic Red Team doc generator 84cd4177fe Generated docs from job=generate-docs branch=master [ci skip] 2022-10-13 17:48:19 +00:00
harshalcoep a7bf035f55 Modify description of "Disable UAC admin consent prompt" (#2184) 
Changing the description of atomic test 251c5936-569f-42f4-9ac2-87a173b9e9b8 from "modifying the registry key" to "setting the registry key".  In this context, the word "setting" sounds more appropriate than "modifying".
 2022-10-13 11:47:48 -06:00
Atomic Red Team doc generator 112ee4dd2e Generated docs from job=generate-docs branch=master [ci skip] 2022-10-13 14:20:53 +00:00
Atomic Red Team GUID generator 540ae0d64c Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-13 14:20:47 +00:00
harshalcoep c566f8d83f New Atomic-Test (#2183) 
* New Atomic-Test

Proposing a new atomic test "Disable UAC admin consent prompt". The existing atomic test with guid 9e8af564-53ec-407e-aaa8-3cb20c3af7f9) disables UAC by setting "EnableLUA" registry value to 0. UAC can also be disabled by setting "ConsentPromptBehaviorAdmin" registry value to 0 (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4). This registry value has been altered by several malwares in the past (https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/, https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit, https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat). Hence, proposing a new atomic test with guid 251c5936-569f-42f4-9ac2-87a173b9e9b8 that bypasses UAC by setting the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0.

* add blog links

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-13 08:20:18 -06:00
Atomic Red Team doc generator eedbea628e Generated docs from job=generate-docs branch=master [ci skip] 2022-10-12 19:54:00 +00:00
Atomic Red Team GUID generator b08b38f654 Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-12 19:53:52 +00:00
CDub1016 3bff37d737 T1204.002 Added Test to Emulate Mirror Blast TA505 (#2180) 
* Update T1204.002.yaml

Added Mirror Blast technique.

* Update T1204.002.yaml

Added cleanup command to Mirror Blast Test.

* Add files via upload

Added Excel sheet with macro to download 7zip.

* Add files via upload

Information about macro in Mirror Blast.

* use PathToAtomicsFolder

* add link to blog

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-12 13:53:10 -06:00
Atomic Red Team doc generator cc0f4485ca Generated docs from job=generate-docs branch=master [ci skip] 2022-10-12 19:10:02 +00:00
Mohana Shankar D 051753b04f Mshta Executes Remote HTML Application (HTA) - Process Termination (#2179) 
Using sleep command to run the application for 15 seconds with start process. The process has been terminated using stop process command.
 2022-10-12 13:09:24 -06:00
Atomic Red Team doc generator 9adadb0b01 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-09 14:43:11 +00:00
Atomic Red Team GUID generator 56e61e2130 Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-09 14:43:04 +00:00
Jose Enrique Hernandez d0ce538c94 Merge pull request #2081 from ketumbra/2080 
fixes #2080: macos audio recording
 2022-10-09 10:42:29 -04:00
ketumbra 14298afc74 Merge branch 'master' into 2080 2022-10-08 19:01:19 +01:00
Atomic Red Team doc generator 90212b5fa4 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-04 22:35:06 +00:00
tlor89 2c17fe046c T1082_update (#2178) 
* T1082_update

* Update prereq description

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-04 16:34:35 -06:00
Atomic Red Team doc generator c3788b083e Generated docs from job=generate-docs branch=master [ci skip] 2022-10-04 22:33:31 +00:00
tlor89 cf8cae7466 T1055 (#2177) 
* T1055

* Update input args description

Co-authored-by: Toua Lor <tlor@nti.local>
 2022-10-04 16:33:02 -06:00
Atomic Red Team doc generator 297c6a48d1 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-03 22:41:21 +00:00
tlor89 19ace944f7 T1055.004_Update (#2175) 
* T1055.004_Update

* Update T1055.004.yaml

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-03 16:40:55 -06:00
Atomic Red Team doc generator 4eb79b9d8a Generated docs from job=generate-docs branch=master [ci skip] 2022-10-03 22:37:35 +00:00
tlor89 8c02a45145 T1048.002 (#2173) 
* T1048.002

* Update T1048.002.yaml

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-03 16:36:57 -06:00
Atomic Red Team doc generator 52d1f72af2 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-03 22:33:32 +00:00
frack113 f41e92b834 T1547.001 Fix test a70faea1-e206-4f6f-8d9a-67379be8f6f1 (#2171) 
* Fix test a70faea1-e206-4f6f-8d9a-67379be8f6f1

* Restore b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-03 16:32:48 -06:00
Atomic Red Team doc generator 7e1529fbca Generated docs from job=generate-docs branch=master [ci skip] 2022-10-03 15:43:49 +00:00
Atomic Red Team GUID generator 5e91e948fc Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-03 15:43:42 +00:00
sourabhsharmasourabh d081d1dc33 New Atomic test 29 - iwr download (#2172) 
* New Atomic test 29 - iwr download

iwr or Invoke Web-Request download. Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions.

* Update T1105.yaml

* Update T1105.yaml

at 793 added line for elevation required : true, as it was missed to include earlier

* Update T1105.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-03 09:43:01 -06:00
ketumbra 457687dc9b Merge branch 'master' into 2080 2022-09-30 22:21:40 +01:00
ketumbra 52d550c2b3 check outfile exists first and use stat for size check 
Co-authored-by: packetzero <20775507+packetzero@users.noreply.github.com>
 2022-09-30 22:20:59 +01:00
ketumbra 53e53525a8 use named var and simplify exit 2022-09-30 21:42:53 +01:00
ketumbra 9f908989d7 use named vars 
Co-authored-by: packetzero <20775507+packetzero@users.noreply.github.com>
 2022-09-30 21:15:22 +01:00
ketumbra 34ff8e44d0 use named vars 
Co-authored-by: packetzero <20775507+packetzero@users.noreply.github.com>
 2022-09-30 21:15:11 +01:00
Atomic Red Team doc generator 9e5b12c491 Generated docs from job=generate-docs branch=master [ci skip] 2022-09-30 17:12:19 +00:00
Atomic Red Team GUID generator 0186f8aba8 Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-09-30 17:12:13 +00:00
Narasimha2218 a0f872e11a UltraVNC Execution -New atomictest (#2169) 
* UltraVNC Execution -New atomictest

 An adversary may attempt to trick the user into downloading UltraVNC for use as a C2 channel.
 Upon successful execution, UltraVNC will be executed

* typo fix

* remove space

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-09-30 11:11:44 -06:00
Atomic Red Team doc generator 09b7ade645 Generated docs from job=generate-docs branch=master [ci skip] 2022-09-29 17:15:18 +00:00
Atomic Red Team GUID generator 5d77f4da7e Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-09-29 17:15:10 +00:00
Carrie Roberts 68633fc0e2 Set Custom AddToHistoryHandler to Avoid History File Logging (#2168) 
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
 2022-09-29 11:14:32 -06:00
Atomic Red Team doc generator 1cf4dd51f8 Generated docs from job=generate-docs branch=master [ci skip] 2022-09-27 23:39:17 +00:00
tlor89 0928ea6baa T1546.009 (#2167) 
Co-authored-by: Toua Lor <tlor@nti.local>
 2022-09-27 17:38:44 -06:00
Atomic Red Team doc generator 6586dc3be0 Generated docs from job=generate-docs branch=master [ci skip] 2022-09-27 15:14:14 +00:00
frack113 29d88cdb48 T1072 Fix GetPrereqs (#2164) 
* Small Fix

* Remove cleanup

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-09-27 09:13:36 -06:00
Jose Enrique Hernandez a1959b4c2b Merge branch 'master' into 2080 2022-09-27 10:13:44 -04:00
Atomic Red Team doc generator 9bdd7fceba Generated docs from job=generate-docs branch=master [ci skip] 2022-09-26 17:59:20 +00:00
frack113 5b7eb3fe8b Fix download dependencies (#2165) 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-09-26 11:58:46 -06:00
Atomic Red Team doc generator b07c165d9e Generated docs from job=generate-docs branch=master [ci skip] 2022-09-26 17:51:03 +00:00
Atomic Red Team GUID generator ff75bdc167 Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-09-26 17:50:55 +00:00
Thomas de Brelaz c0c31e4c0c T1547.001 runkeys (#2150) 
* added tests 10-15 to T1547.001.yaml covering various missing keys used for run persistence

 Committer: Thomas De Brelaz <thockoro@hotmail.com>

* fixed name for test 14

 Committer: Thomas De Brelaz <thockoro@hotmail.com>

* added missing HKLM test for explorer run key

 Committer: Thomas De Brelaz <thockoro@hotmail.com>

* readability improvements

* fixed readability issues

 Committer: Thomas De Brelaz <thockoro@hotmail.com>

* small ymal type fix

 Committer: Thomas De Brelaz <thockoro@hotmail.com>

Co-authored-by: Thomas De Brelaz <thomas.de-brelaz@ubisoft.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-09-26 11:50:21 -06:00