e5166f0e66
Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-11 15:16:44 +00:00
bbec07bcd6
Update T1176 with Edge Chromium Addon - VPN ( #980 )
...
* Update T1176 with Edge Chromium Addon - VPN
Added manual download, install, and cleanup for an Edge Chromium VPN extension.
* Update T1176 with Edge Chromium Addon - VPN
Added manual download, install, and cleanup for an Edge Chromium VPN extension.
2020-05-11 09:16:17 -06:00
5859178fd7
Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-06 16:32:18 +00:00
bc35907026
typo fix ( #974 )
2020-05-06 10:31:48 -06:00
06c2cb5074
Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-06 16:27:13 +00:00
c8520ab1af
fix type in T1028 command ( #976 )
...
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-05-06 10:26:34 -06:00
da779f042d
Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-06 16:23:43 +00:00
7d63609ea3
Added dependencies and fixed tests for linux and macOS ( #973 )
...
* Added dependencies and fixed tests
* Added description to dependencies.
* Executable presence checked in dependencies
Co-authored-by: hypnoticpattern <>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-05-06 10:22:48 -06:00
d9dfeab6c2
Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-06 13:34:18 +00:00
9fa3eefeb3
Merge pull request #975 from jessecbrown/master
...
[UPDATE] T1122 - Add two more COR_PROFILER tests
2020-05-06 09:34:01 -04:00
3184bea5d8
[UPDATE] T1122 - Add two more COR_PROFILER tests
...
Add two new cor_profiler tests leveraging system and user scope environment variables.
2020-05-05 20:43:48 -04:00
9860e65402
Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-04 16:47:56 +00:00
405c8330fc
Update T1219.yaml ( #970 )
...
Added logmein download and execution. updated execution commands to reflect $env:username
2020-05-04 10:47:11 -06:00
2bde901e95
Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-02 00:36:51 +00:00
9b73020cee
add T1122 COM Hijacking leveraging .NET profiler dll ( #969 )
...
* t1122 first blood
* add T1122 COM Hijacking leveraging .NET profiler dll
* update gitignore an cleanup
* a little more clean up :D and gitignores
* remove precopiled objs
2020-05-01 18:36:27 -06:00
cd8ef8f5c0
OCD :) ( #967 )
...
* OCD :)
* Generate docs from job=validate_atomics_generate_docs branch=atomic_friday
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-05-01 14:03:32 -06:00
83fe78b2ea
Merge pull request #966 from redcanaryco/Notes_05012020_InvokeAtomicRedTeam
...
Atomic Friday Notes - 05012020
2020-05-01 15:13:48 -04:00
c0b2785f40
Atomic Friday Notes - 05012020
2020-05-01 13:10:50 -06:00
d29abbca2c
Create Atomic Friday holding pen
2020-05-01 12:55:55 -06:00
287511465a
Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-01 15:56:01 +00:00
fd6a00b61c
a little cleanup ( #963 )
2020-05-01 09:55:27 -06:00
4a8fc85718
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-29 15:23:58 +00:00
c269c93ef5
SharpHound fixes ( #962 )
...
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
* little cleanup and correction to sharphound tests
2020-04-29 09:23:36 -06:00
163e84ca30
Update T1099.yaml - Timestomp ( #960 )
...
* Update T1099.yaml
New Timestomp Atomic test added to emulate MITRE ATT&CKs recent APT29 evals.
https://attackevals.mitre.org/APT29
* Generate docs from job=validate_atomics_generate_docs branch=T1099Take2
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-04-28 11:36:12 -06:00
f3e095dee9
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-28 17:04:21 +00:00
57197a9a6f
T1009, T1014, T1055, T1215: Added dependencies ( #958 )
...
Co-authored-by: hypnoticpattern <>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-04-28 11:03:53 -06:00
7c1e966f82
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-28 16:57:34 +00:00
18f618f20b
T1086 T1087 T1088 T1089 Updates ( #944 )
...
* 1087 Updates
* add 1086 Updates
* add T1088 updates
* update T1089
* typo fix
* typo fix
* typo fix
* fix input args
* remove uninstall sysmon changes
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-04-28 10:57:01 -06:00
7802132b9e
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-27 20:40:21 +00:00
77d3649202
corrected folder name ( #957 )
...
Co-authored-by: darin <darin@blackhillsinfosec.com >
2020-04-27 14:40:06 -06:00
09c8adfbef
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-27 19:54:47 +00:00
9d53c87787
Added test for T1089 for Remove-Service, introduced in Powershell 6.0 ( #954 )
...
* Added test for T1089 for Remove-Service, introduced in Powershell 6.0
* Added Stop-Service and changed Default Value to match Atomic Test 13
Co-authored-by: Marshall Darnell <md@Marshalls-MBP.localdomain >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
Co-authored-by: Marshall Darnell <marshalldarnell@protonmail.com >
2020-04-27 13:54:33 -06:00
dc5a3c2131
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-27 19:51:36 +00:00
483bdf1ea1
Update T1219.yaml ( #956 )
...
fixed TeamViewer command and added AnyDesk test
Co-authored-by: Luminous-InfiniTom <35981510+Luminous-InfiniTom@users.noreply.github.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-04-27 13:51:19 -06:00
e28da09de5
T1086 sharphound ( #955 )
...
* Updated T1086 - BloodHound/SharpHound Atomic Test
I have modified T1086-2 to work more effectively.
It now includes two test scenarios using SharpHound.
1. Using prereqs, will validate if sharphound.ps1 is found in the payloads directory within T1086 path. If not, it will download and store it locally.
2. Second test is a one liner that will download and run sharphound.
Input arguments added for hitting a internal domain and specifying the output directory.
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
* Added color
It needed color. I added it.
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
* Modified BloodHound Tests
Broke out the two BloodHound tests. One will execute from local disk, other will be from within memory.
Modified all payload paths to be from /src/ path.
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
* Elevation Not Required
Modified elevation, not required to be admin
* Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-04-27 13:47:14 -06:00
c6582e3b48
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-24 19:29:07 +00:00
5618b90ef4
T1170 T1174 T1204 T1214 T1216 Test Improvements ( #948 )
...
* T1170
* slight updates
* T1214
* add descriptions
* fix spelling
2020-04-24 13:28:39 -06:00
9d1146ae8a
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-24 17:39:30 +00:00
94559fc270
T1081 T1082 T1141 T1145 Improvements ( #950 )
...
* improve tests
* fix spelling and prereqs
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-04-24 11:39:05 -06:00
512b194ec3
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-22 16:27:38 +00:00
5dc114511d
T1222 Improvements and Cleanup ( #949 )
...
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-04-22 10:27:11 -06:00
35f45ec0ec
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-22 16:26:12 +00:00
cc1aced76b
Minor fix for T1115 - Pipe Get-Clipboard output ( #952 )
...
* Update T1115.yaml
Update command for PowerShell so the contents of Get-Clipboard are actually invoked as an expression.
* Update Markdown PowerShell code snippet to reflect changes
* Pipe output of Get-Clipboard to iex in order to invoke the value of clipboard as a command
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-04-22 10:25:25 -06:00
ceafbf9c62
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-22 16:23:59 +00:00
4a8ec3b1c7
T1071 T1118 Improvements and Fixes ( #947 )
...
* start work
* test improvements
* fix type and broken sentence
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-04-22 10:23:42 -06:00
15f32ce196
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-22 16:19:41 +00:00
9458d814b0
Add test for T1045 that copies and runs packed binaries ( #945 )
...
* Add test for T1045 that copies and runs packed binaries
* Use magic variable PathToAtomicsFolder
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-04-22 10:18:56 -06:00
12a297615d
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-22 15:49:23 +00:00
3a3a7ba6e3
Fix: powerShell -> powershell ( #951 )
...
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-04-22 09:48:49 -06:00
be65f14e54
Generate docs from job=validate_atomics_generate_docs branch=master
2020-04-21 02:13:00 +00:00
CircleCI Atomic Red Team doc generator