e88a1ea463
update ATT&CK ids on Ranger, cookie miner, and qbot chain reactions ( #1243 )
...
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-10-07 11:35:19 -06:00
8eb52117b7
Generate docs from job=validate_atomics_generate_docs branch=master
2020-10-06 16:13:36 +00:00
5ba2d3e985
Update T1550.002.yaml ( #1235 )
...
added code to make prereq commands for test 1.
2020-10-06 10:13:14 -06:00
6be404bece
Fix 404 link in script ( #1234 )
...
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-10-05 10:34:43 -06:00
e2a501b28f
Fix 404 URL ( #1233 )
...
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-10-05 10:31:36 -06:00
1bc6c7e115
Updating 404 link ( #1232 )
...
The URL referenced a non existing page (chain_reaction_DragonsTail_benign.ps1). Pretty sure it meant dragonstail_benign.ps1
2020-10-05 10:27:33 -06:00
23fc9289cf
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-29 15:47:51 +00:00
3cdd80d2f4
Test Case to search a user's bookmarks file from Internet Explorer ( #1227 )
...
* Lists the Ineternet Explorer bookmarks
This command lists the bookmarks for Internet Explorer that are found in the Favorites folder
* Update T1217.yaml
Also, below command can be used to achieve similar results -
dir /s /b C:\Users\%USERNAME%\Favorites
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-09-29 09:47:02 -06:00
910a2a764a
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-29 13:53:28 +00:00
6870ca31c1
fix MITRE URL formatting ( #1229 )
2020-09-29 07:53:01 -06:00
f46f1788ab
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-18 18:45:01 +00:00
d3c575085f
removed cleanup command that deletes sharphound so the prereq only needs ( #1226 )
...
to be run once.
Co-authored-by: Daniel White <d0w019h@homeoffice.wal-mart.com >
2020-09-18 12:44:04 -06:00
aaf9b7500e
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-18 14:44:29 +00:00
46c29db12f
Merge pull request #1225 from cnotin/pr-T1028
...
T1028 "Windows Remote Management": split in several techniques
2020-09-18 10:44:04 -04:00
749006a557
Fix bis
2020-09-18 16:38:41 +02:00
9e5d5c5cb2
Fix mistake
2020-09-18 16:38:10 +02:00
6000965b1e
T1028 "Windows Remote Management": split in several techniques
...
Fixes #1042
2020-09-18 15:57:11 +02:00
d68a57842a
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-16 13:57:33 +00:00
4dc60fe603
Merge pull request #1224 from clr2of8/remove-fp-weakness
...
Remove File System Permissions Weakness atomic test
2020-09-16 09:57:12 -04:00
8fed41ac02
removing test
2020-09-16 07:50:24 -06:00
cebd539a36
Update T1218.011.inf ( #1223 )
...
Convert to Mitre ATT&CK sub-technique schema
2020-09-16 07:29:43 -06:00
30b77fc5a0
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-15 14:57:15 +00:00
74ad1849de
Changed default computer target from computer1 to localhost in the remote execution through MMC ( #1218 )
...
Co-authored-by: Didier Cambefort <didier.cambefort@scrt.ch >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-09-15 08:56:52 -06:00
00948b0058
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-15 14:53:29 +00:00
7b90e89acd
Update T1053.003.yaml ( #1221 )
...
Add code to make cleanup commands.
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-09-15 08:53:11 -06:00
45f59adc44
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-09 16:42:32 +00:00
e07e8842ef
Update T1106.yaml ( #1217 )
...
Execution doesn't currently work because tmp variable was broken
Tested successfully on a local instance
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-09-09 10:42:10 -06:00
166da61509
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-09 16:41:01 +00:00
eb45d7274c
New Test T1562.004 ( #1215 )
...
* New test to allow program through firewall
This test will attempt to allow an executable through the system firewall located in the Users directory
* Create AtomicTestPlaceholder
* AtomicTest executable added for test
* Delete AtomicTestPlaceholder
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-09-09 10:40:38 -06:00
5277ef9105
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-09 16:35:21 +00:00
70ad88fe10
T1098 - Added cleanup capability ( #1216 )
...
* Changed Admin Account Manipulate to be able to use Cleanup, as suggested in PR #1201
* Changed Admin Account Manipulate to be able to use Cleanup, as suggested in PR #1201
Co-authored-by: Didier Cambefort <didier.cambefort@scrt.ch >
2020-09-09 10:35:00 -06:00
115bb861b7
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-04 17:21:36 +00:00
ef53a91332
T1105.002 mp cmd run ( #1214 )
...
* Update T1105.yaml
Add MpCmdRun Windows Defender LOLB
* Update T1105.yaml
Corrected input and yaml spacing
* Update T1105.yaml
Added PreReq exit else
And better description with URL
* Update T1105.yaml
Carrie added enhancements. Thank you Carrie!
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-09-04 11:21:08 -06:00
dcb3d26d84
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-04 17:00:36 +00:00
74956c4425
Update T1562.002.yaml ( #1213 )
...
Update T1562.002.yaml with Invoke-Phant0m to Kill Windows Event Log Services Threads.
2020-09-04 10:59:55 -06:00
77428a9439
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-03 22:20:14 +00:00
46e38ff6d1
T1110.002 Hashcat ( #1189 )
...
* T1110.002 Hashcat
T1110.002 Hashcat
* Update to T1110.002.yaml
Since Hashcat downloads as 7zip I had to do some hacky things to get that to run on the system via $env:temp. I have tested via start-AtomicGUI, the check-prereqs, and GetReqs, Invoke-AtomicTest T1110.002 and the -cleanup command. this should be ready for anyone.
* Added Elevation is required for command
Elevation is Required for the attack command
* updates from Carrie
see comments in PR for details
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-09-03 16:19:30 -06:00
b69f27c2b3
Generate docs from job=validate_atomics_generate_docs branch=master
2020-09-03 21:49:12 +00:00
730a62b977
Update T1003.002.yaml ( #1212 )
...
Request raw Invoke-PowerDump.ps1 instead of repository page
2020-09-03 15:48:52 -06:00
04a409832e
Generate docs from job=validate_atomics_generate_docs branch=master
2020-08-20 20:40:34 +00:00
f7584be904
T1003 NPPSPY GetPrereqs location fix ( #1202 )
...
* Before: NPPSPY is installed into atomics src directories, test
looks for it in the local temp directory resulting in an error.
After: Test is changed to look for NPPSPY directly in atomics src
directory
* Change test to install prereq to local temp directory and work from
there.
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-08-20 14:40:09 -06:00
1411b5ec4a
Generate docs from job=validate_atomics_generate_docs branch=master
2020-08-20 20:38:40 +00:00
85f4f0ec3f
fixed prereq_command ( #1205 )
...
Co-authored-by: Harrell <LHarrell@nti.local >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-08-20 14:37:47 -06:00
84054abce5
Generate docs from job=validate_atomics_generate_docs branch=master
2020-08-20 20:28:30 +00:00
c8be2137d7
T1197 desktopimgdwnldr.exe ( #1206 )
...
* Update T1197.yaml
desktopimgdownldr.exe initial commit
* Update T1197.yaml
fixed parsing issue with command
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2020-08-20 14:27:09 -06:00
7e5f711d57
Generate docs from job=validate_atomics_generate_docs branch=master
2020-08-20 20:21:38 +00:00
ee7deb22fd
Update to T1040.yaml test 3 "Packet capture windows command prompt" ( #1208 )
2020-08-20 14:21:07 -06:00
7e8eec1c7a
Merge pull request #1207 from clr2of8/csv-index
...
fix csv link on README
2020-08-19 11:34:24 -04:00
fbba105bf1
Merge branch 'master' into csv-index
2020-08-19 09:31:30 -06:00
496b3e5ebf
fix csv link
2020-08-19 09:29:26 -06:00
Jesse Brown