* Shortcut additions to user startup
New addition to test creating a shortcut link to an executable in a users startup directory
* Update T1547.001.yaml
* remove extra whitespace
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Separate CI steps so Github status checks can reference the right checks
* Generate docs from job=generate_docs branch=bb-separate-ci-steps
* Commit GUIDs after generating; require GUIDs before other steps
* Fix config
* Generate GUIDs from job=generate_guids branch=bb-separate-ci-steps
* Generate docs from job=generate_docs branch=bb-separate-ci-steps
* Better wording
* Update config.yml
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* Create T1595.002.yaml
* Added vbscript (griffon recon) for test 1
Script ref. (public gist) https://gist.githubusercontent.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d/raw/55ecbf8f83c36984371a335991f6cf4f2022319b/gistfile1.txt
* added run as priv user
n/a
* removed guid accidentally put in
* removed extra line
* checking syntax final
* remove dependency line
* minor updates to invoke the build process again
* removing elevation required
thanks for that additional review, carrie
* moving to T1082 per review
* adding test 8 (griffon recon)
* create griffon_recon.vbs for test 8
script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d),
and it gives the exact same recon behavior, hash mentioned in the code, as the original (minus the C2 interaction).
* moving vbs file to T1082 per review
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update maintainers.md
Remove reference to announcements channel, which has been created.
* Generate docs from job=validate_atomics_generate_docs branch=maintainers-updates
* Update maintainers.md
Updates to maintainers meeting purpose, scope, and agendas.
* Generate docs from job=validate_atomics_generate_docs branch=maintainers-updates
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Adding in Workflow Compiler Tests
This adds 2 workflow compiler tests.
1.) Test 6 will execute workflow compiler with a pre-build assembly that invokes cal.
2.) Test 7 will rename workflow compilers and execute the same pre-build assembly that invokes calc.
* minor path updates
Co-authored-by: Jimmy Astle <jastle@vmware.com>
* update output file name to match expected
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-1
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-1
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Allow the root user on Linux systems to run 'T1087.001: Account Discovery: Local Account - List opened files by user' by updating how $username is determined
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
* Windows LaZagne
Adding test for LaZagne on Windows to collect passwords stored in browser. Issue #1030
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
* Generate docs from job=validate_atomics_generate_docs branch=T1555.003
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Changed the ms_office_version argument on test 1-4 to pull the latest version of office from registry instead of defaulting to 16.0
Added cleanup commands to test 5
Changed commands in tests 1-4 to account for changes in ms_office_version
* Update T1204.002.yaml
Added a new atomic to simulate an adversary using a malicious word doc to stage malicious .bat files in appdata then execute them.
* Update T1204.002.yaml
made default ms_office_version more robust to handle box with multiple versions of office. It will select the latest
* Update T1204.002.yaml
added in the description what the .bat does
* T1014 - Driver rootkit test
Fixed Test 3 per issue #1153 .
- Added pre-req
- New comments for additional info on retrieving the capcom driver
- Added elevation required
- Added new input argument for puppetstrings.exe
Confirmed operational on win10.
* Generate docs from job=validate_atomics_generate_docs branch=T1014
* Fixed GUID
* Generate docs from job=validate_atomics_generate_docs branch=T1014
* Update used_guids.txt
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
CircleCI Atomic Red Team doc generator