* Non-Windows OS Support
Added OS Identification to determine tests to run
Added SH and Bash executors for Linux and MacOS
Changed some Print statement oddities in ART
Updated Installation script to work on non-windows machines
* Updated Documentation
Edited the readme to be more OS neutral
Added information for the -force option in the installer
Added instructions for downloading powershell core on Mac and Linux
* Last Bugs
added chown to install script
* Install -force test install path
if (Test-Path $InstallPath){ Remove-Item -Path $InstallPath -Recurse -Force -ErrorAction Stop | Out-Null }
* minor changes
Write-Host error messages
Installer - Import-Module $modulePath -Force
* Chown weird on MacOS
chown -R $env:SUDO_USER $InstallPath
* README edits
clearing up $home $homedrive shenanigans
* \n in mardown issues
* Readme edits #2
* add invoke-atomictest to main page readme
* add instructions for running it more smoothely when cloned form github
* Update README.md
* Update README.md
* T1028 fixing named parameter in Invoke-Command
Changing computer_name for correct parameter ComputerName
* FT1028 fixing ComputerName parameter in .yaml
* Add test for T1170 that launches local notepad via VBScript called by Mshta
* Apply suggestions from code review
updates to the atomic name & description
Co-Authored-By: Keith McCammon <keith@mccammon.org>
* Update T1170.yaml
updated the input_arguments type to 'path' and the default value to 'C:\Temp\mshta_notepad.vbs'
* Removed TODOs to pass validation
Seems like there is an extra tab here which is cause my yaml parser to break.
```
yaml.scanner.ScannerError: while scanning for the next token
found character '\t' that cannot start any token
in "<unicode string>", line 3, column 33:
display_name: Software Discovery
```
* Adding T1086 Alternate Data Stream atomic
* Added newline T1086
* Syncing changes with updstream and origin.
* Added Cleanup to Logon Scripts Atomic T1037
* Added timout to allow time for detection logic to register change.
* Fixed issue with upstream sync, Re-added timout to allow time for detection logic.
* Fixed cleanup command. Yaml tag not working to allow it to run.
* Update T1158 test 11.
Corrected ADS syntax. Added loop to run embedded ADS command from shell. Also added cleanup code.
* Update T1037.yaml
Moved Reg delete command under the cleanup_command tag for consistency.
* Update T1037.yaml
Moved reg removal command under cleanup_command tag for consistency.
* Update T1086.yaml
Bug Fix: Updated Base64 encoded command in T1086-12 with correct syntax and environment variables for power shell compatibility (was for cmd.exe only). Original decoded payload referenced %SystemRoot%, whereas PowerShell uses $env:SystemRoot. Also replaced single quotes with double quotes to prevent PowerShell from interpreting it as a literal string.
Enhancement: Added Cleanup_commands for T1086-12. Added comments for what the Base64 encoded payload is.
* Update T1036.yaml
Added Cleanup commands for the windows tests
The `-o` flag exists only for the MacOs ping command, it doesn't in the Linux (Ubuntu) command.
I just removed it, it should be necessary since it is already using `-c 1`.
seraran005