bb945c8d61
T1088 mocking trusted directories - New Atomic ( #704 )
...
* Created rough draft for new atomic: T1088 - UAC Bypass via Mocking
Trusted Directories.
* Fixed typo in Mocked directory. Tested cleanup commands successfully.
* Fixed path of cleanup command to match change in directory of primary
command.
2019-12-02 09:39:07 -07:00
380a113809
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-02 16:37:13 +00:00
42280e035a
T1088- Added cleanup commands ( #705 )
...
* Added cleanup commands to the other atomic tests.
* Fixed cleanup command for the command_prompt version of "Bypass UAC using Fodhelper"
2019-12-02 09:36:43 -07:00
0b96ad46c7
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-27 16:07:50 +00:00
128f6054e4
recon trickbot style ( #696 )
2019-11-27 10:07:33 -06:00
6d76b77fc4
T1089 Disable AMSI & Script Block Logging ( #695 )
...
* T1089 Disable PoSH AMSI & Script Block Logging
* Generate docs from job=validate_atomics_generate_docs branch=t1089-disable-amsi-logging
2019-11-26 18:06:03 -07:00
6d1229ee56
T1027 Execution of base64 PowerShell ( #694 )
...
* T1027 base64-encoded PowerShell tests
* Generate docs from job=validate_atomics_generate_docs branch=t1027-base64-posh
2019-11-26 18:03:20 -07:00
20563e42ed
T1112 Registry Modification to Store PowerShell Code ( #693 )
...
* T1112 - Storing PoSH code in Registry
* Generate docs from job=validate_atomics_generate_docs branch=t1112-posh-code
2019-11-26 17:59:41 -07:00
979695d818
T1018 Discovery with net.exe for Domain Computers ( #692 )
...
* T1018 - Discover systems with net domain computers
* Generate docs from job=validate_atomics_generate_docs branch=t1018-net-domain-computers
2019-11-26 17:44:32 -07:00
3d06083dbe
-ShowDetails without adding '-InformationAction Continue' ( #686 )
...
* ShowDetails without -InformationAction Contnue
* ShowDetails without -InformationAction Contnue
* ShowDetails without -InformationAction Contnue
2019-11-25 11:28:08 -06:00
24415af3bb
Python execution framework fix: use any value type ( #691 )
...
* Python execution framework fix: use any value type
This change removes the function convert_to_right_type.
Currently whenever a new parameter type is added (i.e. T1058 uses type "registry"), Python script runner crashes with "An error occurred while running the suite. Value type registry does not exist!". This wouldn't be a problem if the convert_to_right_type function did some real validation but as it stands today the function convert_to_right_type doesn't really do anything (except for casting integers into strings). If a type that needs some serious validation/conversion ever comes up the function may be reinstated.
* Deleting convert_to_right_type function
2019-11-25 10:10:55 -07:00
0954cf3e57
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-25 17:06:20 +00:00
396cdf4d92
fix duplicate key in yaml issues ( #690 )
2019-11-25 11:05:55 -06:00
088081e033
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-25 16:55:57 +00:00
abefc468d2
T1137 - Word spawned a command shell and used an IP address in the command line ( #610 )
...
* create document and test
* update default atomics path
* refactor tests
* change back path
The PathToAtomicsFolder path works when installed from the script, but when closed from github the folder name is different. I think we should unify these and just have people clone from github if they want to use it, instead of having a seperate install script.
* removed duplicate, used powershell to launch document
2019-11-25 09:55:38 -07:00
1b05ec3b29
Added Hostname to ExecutionLog ( #688 )
...
* Added Hostname to ExecutionLog
* added username
2019-11-22 12:57:29 -07:00
389c115caa
removing dead links ( #687 )
2019-11-22 12:51:22 -07:00
8b64037681
remove atomic-red-team-master folder from install ( #689 )
...
* remove extra atomic-red-team-master folder for install
* remove extra atomic-red-team-master folder for install
2019-11-22 11:57:30 -07:00
5f087ec34d
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-21 03:07:05 +00:00
5bf01b6c2c
T1482 query ad/domain info ( #676 )
...
* start work
* Update T1482.yaml
2019-11-20 21:06:47 -06:00
802b693f29
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-20 22:55:45 +00:00
31151185e5
T1122 - Update to use PathToAtomicsFolder ( #681 )
...
* T1122 - Update to use PathToAtomicsFolder
Removed relative path to src folder, added PathToAtomicsFolder
* Modifying .md file
2019-11-20 15:55:28 -07:00
10a52d388b
T1077 Redirect output to Admin Share ( #685 )
...
* T1077 Redirect output to Admin Share
* Generate docs from job=validate_atomics_generate_docs branch=t1077-admin-output
2019-11-20 15:46:24 -07:00
ccb4a26407
T1082 Add Hostname and MachineGUID tests ( #683 )
...
* T1082 Add Hostname and MachineGUID tests
* Generate docs from job=validate_atomics_generate_docs branch=t1082-hostname-machineguid
2019-11-20 15:42:33 -07:00
0afc5beb6f
T1016 Firewall Rule Enumeration with Netsh ( #682 )
...
* T1016 Firewall Rule Enumeration with Netsh
* Generate docs from job=validate_atomics_generate_docs branch=t1016-firewall-enum
2019-11-20 15:38:52 -07:00
9c68146ff9
T1057 Process discovery via tasklist ( #680 )
...
* T1057 Process discovery via tasklist
* Generate docs from job=validate_atomics_generate_docs branch=t1057-tasklist
2019-11-20 15:37:48 -07:00
8eb281faa6
T1047 - Wmic process create tests ( #679 )
...
* T1047 - Wmic process create tests
* Generate docs from job=validate_atomics_generate_docs branch=t1047-wmic-process
2019-11-20 15:36:42 -07:00
4c3e2c3d83
T1018 Test for DC discovery with nltest ( #678 )
...
* T1018 Discover DCs with nltest
* Generate docs from job=validate_atomics_generate_docs branch=t1018-nltest-dclist
2019-11-20 15:34:54 -07:00
713215eaf7
Added T1064 Scripting test for Windows ( #677 )
...
* Added T1064 Scripting test for Windows
* Generate docs from job=validate_atomics_generate_docs branch=t1064-batch-script
2019-11-20 15:33:52 -07:00
947627a84d
T1105 PowerShell download test ( #684 )
...
* T1105 PowerShell download test
* Generate docs from job=validate_atomics_generate_docs branch=t1105-powershell-test
2019-11-20 15:32:40 -07:00
586684d308
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-19 22:24:59 +00:00
c5b2c92ad3
cleanup tests ( #673 )
...
* cleanup tests
* fix path issue and add elevation requirements
* fix format
* remove redundant tests
2019-11-19 15:24:45 -07:00
a49e529a34
Leverage PathToAtomicsFolder in Python framework ( #675 )
...
Parsing the command to replace PathToAtomicsFolder variable.
Can-t use environment variables as some Powershell based tests use "$PathToAtomicsFolder".
I admit that it-s a bit hackish but I think it-s the most straightforward way to handle this without going through a major refactor of this framework
2019-11-19 15:20:59 -07:00
24ff7c7173
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-19 22:14:12 +00:00
934aaa1435
T1023 LNK file to launch CMD placed in startup folders ( #674 )
...
* put lnk files in startup folder
* fix typo
2019-11-19 15:13:45 -07:00
b5db6b26fb
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 23:27:24 +00:00
ea619c49a3
create scheduled tasks a couple way to run on startup ( #672 )
2019-11-18 16:27:09 -07:00
69834f6b88
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 20:46:06 +00:00
826abe638e
windows and powershell tests to recon data and write it to temp file for export ( #671 )
2019-11-18 13:45:33 -07:00
a684542241
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 20:40:16 +00:00
3c9704117d
T1135 recon avalaible share drives ( #670 )
...
* net share command
* update description
2019-11-18 13:39:58 -07:00
9658da76bc
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 15:50:50 +00:00
aeeba08bbc
Reach out to C2 Pointer URLs via command line ( #644 )
...
* add urls and create test folder
* make test more realistic, cleanup command still broken
* use C drive instead of Temp because of permissions
* update paths
* update descriptions
2019-11-18 09:50:35 -06:00
08fddb3940
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 15:44:19 +00:00
e9e93b3907
T1208 kerberoasting with invoke kerberoast ( #548 )
...
* Add test for T1208 that does Kerberoasting
Kerberoasting with Invoke-Kerberoast
* Rename atomics/T1208 to atomic/T1208/T1208.yaml
* Rename atomic/T1208/T1208.yaml to atomics/T1208/T1208.yaml
* Update T1208.yaml
* Update T1208.yaml
2019-11-18 08:43:47 -07:00
b3917a661f
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 15:31:37 +00:00
cf3e90ec91
T1075 new test added and other test t1023 t1044 t1058 ( #625 )
...
* Add test for T1058 that does check weak services
* Add test for T1023 that modified shortcut and execute
* Add test for T1044 that check weak files permission
* Update T1044.yaml
* Update T1058.yaml
* Update T1023.yaml
* Update T1075.yaml
* Delete .T1023.yaml.swp
* Update T1044.yaml
* Update T1023.yaml
* Update T1058.yaml
* Update T1075.yaml
2019-11-18 08:31:16 -07:00
8c7e1fcb9d
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 15:29:04 +00:00
65d0f6dc5d
Zip a folder with PowerShell ( #640 )
...
* add test to compress directory and delete it
* remove cleanup command sbecause I don't have a way to test them yet
* fix paths
* fix command misspelling
* zip into C drive
* fix paths to Temp finally
* move to data staging
2019-11-18 08:28:44 -07:00
232fb47eda
Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-18 15:19:08 +00:00
dwhite9