59f2b264e9
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-15 05:02:01 +00:00
5aed1f0210
moving .ps1 source in T1056 to /src folder ( #663 )
...
* moving source code to /src
updated path of .ps1 source files here to best practices /src directory for all source code files
* moving input ps1 file for 1056, from PowerShellMafia/PowerSploit (moving file only)
moving the file to /src
* deleting file to complete move
2019-11-14 22:01:43 -07:00
70d795ffa2
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-15 03:38:21 +00:00
5259c936c1
Updated T1002 ( #655 )
2019-11-14 20:37:26 -07:00
ddadfbb3bf
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-14 22:57:31 +00:00
e93ed496ac
default pid set to spoolsv ( #656 )
2019-11-14 15:57:07 -07:00
41ca40f457
Broken URL ( #661 )
...
* Broken URL
Fixed broken url for test 1
* Generate docs from job=validate_atomics_generate_docs branch=t1085fix
2019-11-14 15:30:19 -06:00
9980382b3d
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-14 21:11:25 +00:00
9530b27936
T1085 deleting wrong "extra" quotation mark ( #652 )
...
There are 5 quote symbols in a single command. Executing the given command generates a JScript error "Unterminated string constant"
Deleting the extra quote causes the command to correctly open notepad.exe
2019-11-14 14:10:57 -07:00
fdd2927285
T1216 Added tests for proxied script execution ( #627 )
...
* Added script proxy tests
* Generate docs from job=validate_atomics_generate_docs branch=t1216_tests
* Moving command
* Generate docs from job=validate_atomics_generate_docs branch=t1216_tests
2019-11-14 14:07:28 -07:00
d6f8628818
T1485 Test to delete backup files similar to Ryuk ( #659 )
...
* T1485 Test to delete backup files similar to Ryuk
* Generate docs from job=validate_atomics_generate_docs branch=t1485-del-backups
2019-11-14 14:06:09 -07:00
e8d584cb5c
T1085 - Atomic Friday ( #660 )
...
* Atomic Friday - T1085 Adds
Atomic Friday - T1085 Adds
* Generate docs from job=validate_atomics_generate_docs branch=T1085
* Atomic Friday - Ready
Atomic Ready!
* Generate docs from job=validate_atomics_generate_docs branch=T1085
2019-11-14 15:04:08 -06:00
5a0e4482dd
T1089 Disable Arbitrary Security Service ( #658 )
...
* T1089 Disable Arbitrary Security Service
* spelling is hard
* Generate docs from job=validate_atomics_generate_docs branch=1089-service
2019-11-14 13:46:42 -07:00
08c4b265be
T1077 PsExec Test ( #657 )
...
* T1077 PsExec Test
* Generate docs from job=validate_atomics_generate_docs branch=t1077
2019-11-14 13:43:23 -07:00
dce95a96da
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-14 06:15:58 +00:00
c36b28eef8
Added cleanup command for fax binary ( #654 )
2019-11-13 23:15:34 -07:00
5dbf1b7864
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-13 23:42:50 +00:00
b22483e2f1
T1090 add proxy reg key ( #653 )
...
Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4
2019-11-13 16:41:46 -07:00
406b4a1f77
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-13 00:52:25 +00:00
3fdc8ee7de
Cleanup test 6, 7 ( #648 )
...
Changing default value from env:SystemRoot to env:Temp. By default, user can write to systemroot temp directory but cannot execute the cleanup commands. Correcting typo scvhost to svchost.
2019-11-12 17:51:57 -07:00
9412dc71f4
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-13 00:50:03 +00:00
95f0e151ea
create simple sdb file ( #649 )
2019-11-12 17:49:38 -07:00
52d472a70c
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 22:09:07 +00:00
fb4c322761
Added cleanup commands for test 1 & 2 ( #651 )
...
Also changed the default process for test 3 to spoolsv.exe because this exists by default on all machines.
2019-11-12 15:08:47 -07:00
e5da8a341a
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 07:37:40 +00:00
aa0aca3b2e
T1070 delete system logs using power shell ( #642 )
...
* stop eventlog service and delete Security.evtx logs
* add tests
* fix format error
* try 2 fix formatting
2019-11-12 00:37:19 -07:00
0a1f37aa54
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 07:26:51 +00:00
da90ca6563
T1036 malicious process masquerade as lsm ( #637 )
...
* create test, fix lined endings
* fix elevation requried
* fix file path
* fix formatting for circleci test
* misspelling
2019-11-12 00:26:37 -07:00
d5217939c7
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 07:09:21 +00:00
df73365c8a
Updated executor to powershell and updated command syntax. ( #635 )
2019-11-12 00:08:58 -07:00
7a26c61e28
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 05:57:19 +00:00
108cf663a8
Insert cleanup_command for test 2 ( #646 )
2019-11-11 22:56:53 -07:00
49f98f60ce
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-12 05:22:40 +00:00
bf7bc47752
Separated out Cleanup Commands ( #645 )
2019-11-11 22:22:17 -07:00
26e0f443b9
T1170 remote hta ( #633 )
...
* T1170 Remote HTA test
* Generate docs from job=validate_atomics_generate_docs branch=t1170-remote-hta
2019-11-11 07:45:07 -07:00
5332936f8f
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-11 01:55:17 +00:00
36188490dc
removed duplicate 'atomic_tests:' key ( #631 )
2019-11-10 19:54:57 -06:00
eb9f0fbcd6
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-09 02:14:44 +00:00
940b93af67
Added two more generic tests to T1036: test 6 and test 7. Test 6 meant to masquerade non-windows exes as real windows exes. Test 7 meant to masquerade windows exes as other windows exes. Added cleanup and input arguments logic to test 6 and 7. Added a generic executable for testing masquerading a non-windows exe as a windows exe. Added source files used for creating the executable in the T1036\bin folder. ( #617 )
2019-11-08 19:14:13 -07:00
7f62513b8e
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-09 02:07:46 +00:00
60b045eb3c
T1028 fixing parameter in powershell Invoke-Command ( #630 )
...
* T1028 fixing named parameter in Invoke-Command
Changing computer_name for correct parameter ComputerName
* FT1028 fixing ComputerName parameter in .yaml
2019-11-08 19:07:27 -07:00
fa1f9d95dc
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-09 02:03:33 +00:00
2b9b99adcc
T1022 parameters that can actually be parsed by windows command prompt ( #626 )
2019-11-08 19:03:10 -07:00
e2309b30af
T1218 proxied binary execution tests ( #628 )
...
* Added proxied binary execution tests
* Generate docs from job=validate_atomics_generate_docs branch=t1218_tests
2019-11-08 18:57:19 -07:00
31cb175475
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-08 17:47:02 +00:00
c648b94ff1
remove hard-coded path to atomics foler in tests ( #618 )
2019-11-08 11:46:46 -06:00
43683f44af
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-07 22:28:26 +00:00
cb5f6c91a6
T1055 svchost writing a file to a unc path ( #615 )
...
* add test
* delete fake svchost
* Update atomics/T1055/T1055.yaml
Co-Authored-By: Keith McCammon <keith@mccammon.org >
* Update atomics/T1055/T1055.yaml
Co-Authored-By: Keith McCammon <keith@mccammon.org >
2019-11-07 15:27:56 -07:00
a86c0a5a9f
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-07 21:20:17 +00:00
c58f6496d6
Add test for T1170 that launches local notepad via VBScript called by… ( #505 )
...
* Add test for T1170 that launches local notepad via VBScript called by Mshta
* Apply suggestions from code review
updates to the atomic name & description
Co-Authored-By: Keith McCammon <keith@mccammon.org >
* Update T1170.yaml
updated the input_arguments type to 'path' and the default value to 'C:\Temp\mshta_notepad.vbs'
* Removed TODOs to pass validation
2019-11-07 15:19:51 -06:00
CircleCI Atomic Red Team doc generator