* Edited 1217 for Edge Chromium
Edited 1217 atomic as it also executes for Edge Chromium on Windows
* Updates T1217
Added Atomic for listing location of all FireFox bookmark databases
* typo fix
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Added test for T1106
* Added test for T1106
* Added test for T1106
* Added test for T1106
* Added test for T1106
* Added test for T1106
* Name and description updated
Removed the atomic test number because that is calculated based on the order the test shows up in the yaml. Added description of what user should expect by default it the test runs successfully.
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* t1122 first blood
* add T1122 COM Hijacking leveraging .NET profiler dll
* update gitignore an cleanup
* a little more clean up :D and gitignores
* remove precopiled objs
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* Update T1099.yaml
New Timestomp Atomic test added to emulate MITRE ATT&CKs recent APT29 evals.
https://attackevals.mitre.org/APT29
* Generate docs from job=validate_atomics_generate_docs branch=T1099Take2
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* Added test for T1089 for Remove-Service, introduced in Powershell 6.0
* Added Stop-Service and changed Default Value to match Atomic Test 13
Co-authored-by: Marshall Darnell <md@Marshalls-MBP.localdomain>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: Marshall Darnell <marshalldarnell@protonmail.com>
* Updated T1086 - BloodHound/SharpHound Atomic Test
I have modified T1086-2 to work more effectively.
It now includes two test scenarios using SharpHound.
1. Using prereqs, will validate if sharphound.ps1 is found in the payloads directory within T1086 path. If not, it will download and store it locally.
2. Second test is a one liner that will download and run sharphound.
Input arguments added for hitting a internal domain and specifying the output directory.
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
* Added color
It needed color. I added it.
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
* Modified BloodHound Tests
Broke out the two BloodHound tests. One will execute from local disk, other will be from within memory.
Modified all payload paths to be from /src/ path.
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
* Elevation Not Required
Modified elevation, not required to be admin
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1115.yaml
Update command for PowerShell so the contents of Get-Clipboard are actually invoked as an expression.
* Update Markdown PowerShell code snippet to reflect changes
* Pipe output of Get-Clipboard to iex in order to invoke the value of clipboard as a command
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Tsora-Pop