* spelling update and new test
minor spelling update and adding in test for enterprise admins group enumeration
* couple more syntax updates
couple more syntax updates
* Updating cmdline abbreviation
these are valid cmdline abbreviations. I was too quick to update :)
* Clean up swp
cleaning up swap file
* putting back original discovery commands
* one last change
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Quick test for default domain administrator account enumeration
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1070.003.yaml
* Update T1078.001.yaml
* Update T1113.yaml
Remove error from screen when cleaning up for T1113-5
* Update T1197.yaml
Remove error when cleaning up for T1197-4
* Update T1562.001.yaml
Remove error from cleanup of T1562.001-23
* Update T1562.004.yaml
Remove error shown for cleanup of T15262.004-5 and T15262.004-6
* Update T1574.009.yaml
Remove error from cleanup of T1574.009-1
* Update T1553.004.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
The following [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses) has been released to simulate [T1059.001](https://attack.mitre.org/techniques/T1059/001/) in various capacities including the use of `EncodedArguments`, variations of `EncodedCommand` and command line switch types. Input arguments may be manipulated as needed to enhance simulation, which all may be found by reviewing the individual Harness code or import the ATH module and run `get-help`
Adding additional tests to:
- T1059.001 - Command and Scripting Interpreter: PowerShell
For pre-req, it will use the recently released AtomicTestHarnesses [PowerShellGallery](https://www.powershellgallery.com/packages/AtomicTestHarnesses) module using `Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force`
Confirmed all tests are operational on Windows 10, non privileged user.
Ransomware actors leverage adfind to perform Active Directory recon. These tests cover most of the behaviors observed via public threat intelligence sources
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* better name
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-14
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* cleaner title
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-13
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* title clarification
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-12
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* move cleanup to cleanup command
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-11
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* Introduce AtomicTestHarness Tests to ART
Adding:
- T1134.004 - Access Token Manipulation: Parent PID Spoofing
- T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
- T1218.005 - Signed Binary Proxy Execution: Mshta
These tests utilize the recently released [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses) to simulate the base tests from from each ATH Harness. Input arguments may be manipulated as needed to enhance simulation.
* Generate docs from job=validate_atomics_generate_docs branch=atomictestharness-tests
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* Update T1113.yaml
Update test #4 to include a prereq that downloads ImageMagik, updated test #4's name, and updated test #4's description.
* fix yaml spacing
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Adding New Test
Adding a new test that will invoke the command that Ryuk ransomware uses.
* more descriptive wording
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
zgdatadoghq