- Added a spool service startype check / update required to execute at boot as the service is dissabled in many VMs,
- Removed reg delete in test preventing successful execution,
- Updated commands to deal more gracefully with errors which were sometimes interrupting cleanup,
- Fixed DLL which was also broken:
- The EnumPrintProcessorDatatypesW needed for execution was not exported
- The Payload code was outside of the EnumPrintProcessorDatatypesW which is the function that gets called when the procesor gets loaded
- Added fixed source and build commands
Co-authored-by: Thomas De Brelaz <thomas.de-brelaz@ubisoft.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1490.yaml
Adding new atomic Test for Windows - vssadmin Resize Shadowstorage Volume
* Update T1490.yaml
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Atomic Test #4 - RDP tunneling over Ngrok Cloud
Adding Atomic Test #4 - RDP tunneling over Ngrok Cloud to T1572
* change to int
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create T1562.009.yaml
Details:
Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot. This is achieved by modifying Boot Configuration Data (BCD) stores, which are files that manage boot application settings. Applying the following command which requires elevated privileges, causes the sytsem to boot in safe mode at next startup or restart.
"bcdedit /set safeboot network"
Testing
Testing was successfully carried out on Win 10 x64.
Cleanup commands "bcdedit /deletevalue {current} safeboot" was used to restore boot to normal
Associated Issues
None.
* Update T1562.009.yaml
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* adding linux client test to T1069.002 AD tests
* changed prereq for packages
* temp removing prereq
* adding first prereq
* prereq fails
* trying elevated permissions
* alright, no prereq
* Revert "temp removing prereq"
This reverts commit 3bc8ef5fb22dc09fa1ca2ad5282cbdbaf55280de.
* should work now
* removing prereq entirely
* correct dependency_executor
* adding prereq check for all packages
* adding input arg for password
* changing command to autoinclude password
* back to original command, starting work on 1078
* back to original command, starting work on 1078
* putting echo on command for runner to see arguments supplied
* continuing work on 1078
* first attempt at T1078.002
* removed extraneous code
* temp remove cleanup
* removed flag on echo
* updated first comand
* updating input variable ref
* removing flag again
* updating ou
* attempting to change ou to cn
* new uid
* explictely defining dc
* more attempts
* changed uid
* removed first uid
* trying without num
* changing cn back to ou
* change case
* fixed dc
* removing second dc ref
* following IBM guide
* removed extraneous space
* space between userpassword
* reintroducing dc
* added echo
* trying something new
* updated echo
* adding back admin user input
* attempting default
* trying add to previous group
* revert back to just admin user
* missed #
* adding back -x
* making ou and cn match
* attempting to match search style
* removing space
* improved formatting
* simplified
* replacing authentication
* -D object
* reintroduced admin user
* fixed top level domain
* return to old
* holding breath
* setting user to just person type
* removing uid from front
* changing dc
* trying to update cn
* update cn
* changing to object form... again
* chat gpt wrote this
* added cleanup
* updating command
* removed space
* added space
* revert from object
* looking into issues with cleanup command being unable to find user (yet it already exists)
* changed ldapdelete to ldapmodify
* updating temporary user name
* fixing typo in cleanup command
* creating new yaml file for T1136, similar to T1078. Future plans to modify T1078.002 to either run a process or elevate a user
* first attempt at creating domain admin
* changing CN to Domain Admins
* improved formatting (getting error 32)
* changing ldif file echo
* ldapadd to ldapmodify
* adding domain admins domain if it doesn't exist
* redo formatting
* removing create domain admin group
* trying ldapadd again
* updating prereq commands, removing admin requirement from ldapsearchs
* adding linux client test to T1069.002 AD tests
* changed prereq for packages
* temp removing prereq
* adding first prereq
* prereq fails
* trying elevated permissions
* alright, no prereq
* Revert "temp removing prereq"
This reverts commit 3bc8ef5fb22dc09fa1ca2ad5282cbdbaf55280de.
* should work now
* removing prereq entirely
* correct dependency_executor
* adding prereq check for all packages
* adding input arg for password
* changing command to autoinclude password
* back to original command, starting work on 1078
* back to original command, starting work on 1078
* putting echo on command for runner to see arguments supplied
* continuing work on 1078
* first attempt at T1078.002
* removed extraneous code
* temp remove cleanup
* removed flag on echo
* updated first comand
* updating input variable ref
* removing flag again
* updating ou
* attempting to change ou to cn
* new uid
* explictely defining dc
* more attempts
* changed uid
* removed first uid
* trying without num
* changing cn back to ou
* change case
* fixed dc
* removing second dc ref
* following IBM guide
* removed extraneous space
* space between userpassword
* reintroducing dc
* added echo
* trying something new
* updated echo
* adding back admin user input
* attempting default
* trying add to previous group
* revert back to just admin user
* missed #
* adding back -x
* making ou and cn match
* attempting to match search style
* removing space
* improved formatting
* simplified
* replacing authentication
* -D object
* reintroduced admin user
* fixed top level domain
* return to old
* holding breath
* setting user to just person type
* removing uid from front
* changing dc
* trying to update cn
* update cn
* changing to object form... again
* chat gpt wrote this
* added cleanup
* updating command
* removed space
* added space
* revert from object
* looking into issues with cleanup command being unable to find user (yet it already exists)
* changed ldapdelete to ldapmodify
* updating temporary user name
* fixing typo in cleanup command
* creating new yaml file for T1136, similar to T1078. Future plans to modify T1078.002 to either run a process or elevate a user
* first attempt at creating domain admin
* changing CN to Domain Admins
* improved formatting (getting error 32)
* changing ldif file echo
* ldapadd to ldapmodify
* adding domain admins domain if it doesn't exist
* redo formatting
* removing create domain admin group
* trying ldapadd again
* updating prereq commands, removing admin requirement from ldapsearchs
* small changes to search parameters
* changed Domains search to search for Domain Users
* added objectClass=group flag
* separating flag from string
* removing T1078, to be done in future
* added {cleartext} to admin password
* restoring deleted file. My antivirus really hates this file...
* update for spec
* update to spec
* adding name to atomic test
* moved from deprecated -h -p flags to -H flag
* fix cleanup commands with same flag changes
* add ldap://
* removing unused input variable, domain controller
* final commit, all tests passed with -H, updating the desc of T1136.002/4
---------
Co-authored-by: Hare Sudhan <code@0x6c.dev>
Hare Sudhan