* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* Update T1099.yaml
New Timestomp Atomic test added to emulate MITRE ATT&CKs recent APT29 evals.
https://attackevals.mitre.org/APT29
* Generate docs from job=validate_atomics_generate_docs branch=T1099Take2
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* Added test for T1089 for Remove-Service, introduced in Powershell 6.0
* Added Stop-Service and changed Default Value to match Atomic Test 13
Co-authored-by: Marshall Darnell <md@Marshalls-MBP.localdomain>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: Marshall Darnell <marshalldarnell@protonmail.com>
* Updated T1086 - BloodHound/SharpHound Atomic Test
I have modified T1086-2 to work more effectively.
It now includes two test scenarios using SharpHound.
1. Using prereqs, will validate if sharphound.ps1 is found in the payloads directory within T1086 path. If not, it will download and store it locally.
2. Second test is a one liner that will download and run sharphound.
Input arguments added for hitting a internal domain and specifying the output directory.
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
* Added color
It needed color. I added it.
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
* Modified BloodHound Tests
Broke out the two BloodHound tests. One will execute from local disk, other will be from within memory.
Modified all payload paths to be from /src/ path.
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
* Elevation Not Required
Modified elevation, not required to be admin
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1115.yaml
Update command for PowerShell so the contents of Get-Clipboard are actually invoked as an expression.
* Update Markdown PowerShell code snippet to reflect changes
* Pipe output of Get-Clipboard to iex in order to invoke the value of clipboard as a command
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
The file has to be marked as executable before it can run. When the repository is cloned there is no executable flag set and running the test would cause the following error: `failed to run command '/home/user/src/atomic-red-team/atomics/T1154/../T1154/src/echo-art-fish.sh': Permission denied`. Using `sh` with the `trap` command fixes the issue and doesn't require to manually set the flag.
Keith McCammon