The Notepad process was not terminating after the command execution
Line Added:
taskkill /im notepad.exe /t /f > NUL 2>&1
The /t option makes sure any child processes are closed as well, and the /f option forcefully terminates the process.
The > NUL redirects the stdout to the NUL device (the equivalent of /dev/null) and the 2 >&1 also redirects the stderr to stdout so that nothing is output to the console
* Created 3 copies of the original HKCU tests but on HKLM
Committer: Thomas De Brelaz <thockoro@hotmail.com>
* Removed Notify tests, no longer supported in win10 and the tests were broken due to missing dll prerequisite
* re-added notify test
Committer: Thomas De Brelaz <thockoro@hotmail.com>
Committer: Thomas De Brelaz <thockoro@hotmail.com>
Co-authored-by: Thomas De Brelaz <thomas.de-brelaz@ubisoft.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
xcopy doesn't work when there is a trailing \ in a path.
default: PathToAtomicsFolder\T1505.003\src\ caused the "Invalid path" error
Removing the trailing \ fixes the issue
Fix for systems with multiple authorized keys. Without quotes, the echo command separates new lines with space instead of new line character which breaks authorized_keys file in case there are multiple keys in the file.
* Update T1090.003.yaml
Add prereq for test 1 on batch file requirements
* Update T1090.003.yaml
fixed the spacing
* Update T1090.003.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
We have added a new atomic test with guid ffcbfaab-c9ff-470b-928c-f086b326089b that sets two registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText to display a ransom message. While executing this atomic test, the value for these registries can be configured using the switch -PromptForInputArgs. This technique has been used by many ransomwares in the past including SynAck, Grief, Maze, Pysa, Spook, DopplePaymer, Reedemer and Kangaroo. After encrypting files, ransomwares modify the Windows LegalNoticeCaption and LegalNoticeText registry keys to display a ransom message to victim at logon.
Changing the description of atomic test 251c5936-569f-42f4-9ac2-87a173b9e9b8 from "modifying the registry key" to "setting the registry key". In this context, the word "setting" sounds more appropriate than "modifying".
* Update T1204.002.yaml
Added Mirror Blast technique.
* Update T1204.002.yaml
Added cleanup command to Mirror Blast Test.
* Add files via upload
Added Excel sheet with macro to download 7zip.
* Add files via upload
Information about macro in Mirror Blast.
* use PathToAtomicsFolder
* add link to blog
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Atomic Red Team doc generator